A high-severity vulnerability has been identified in the WP Directory Kit plugin for WordPress. This flaw, a SQL Injection, allows an unauthenticated attacker to manipulate the website's database by sending malicious data. Successful exploitation could lead to the theft of sensitive information, such as user credentials and private data, or website defacement.

The vulnerability is a SQL Injection that exists due to insufficient input sanitization on the hide_fields and attr_search parameters within the plugin. An unauthenticated remote attacker can craft a malicious request containing specially formatted SQL commands within these parameters. Because the application fails to properly validate this input, the malicious commands are executed directly by the website's database, allowing the attacker to read, modify, or delete data, and potentially gain further access to the underlying system.

This vulnerability is rated as High severity with a CVSS score of 7.5. A successful exploit could have significant business consequences, including a major data breach leading to the exposure of customer personal identifiable information (PII), user credentials, and other confidential business data. Such an incident could result in severe reputational damage, loss of customer trust, regulatory fines, and financial losses associated with incident response and recovery. Attackers could also deface the website or disrupt business operations by deleting or corrupting database information.

Immediate Action: Immediately update the WP Directory Kit plugin to the latest version provided by the vendor, which contains a patch for this vulnerability. If the plugin is not critical to business operations, the recommended course of action is to disable and completely remove it to eliminate this attack vector. Additionally, review all WordPress security settings to ensure they align with security best practices.

Proactive Monitoring: Monitor web server and Web Application Firewall (WAF) logs for any requests targeting the WP Directory Kit plugin that contain suspicious SQL syntax (e.g., UNION, SELECT, ' OR '1'='1') in the hide_fields or attr_search parameters. Watch for unusual database activity, such as unexpected queries or high CPU load, and monitor for any unauthorized modifications to website content.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) and ensure its ruleset is configured to detect and block SQL Injection attacks. Enforce the principle of least privilege by ensuring the database user account for the WordPress application has the minimum permissions necessary to function. Restrict access to the WordPress administrative dashboard to trusted IP addresses only.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the potential for a complete database compromise, it is strongly recommended that organizations prioritize the immediate remediation of this vulnerability. All instances of the WP Directory Kit plugin should be updated to a patched version without delay. While this vulnerability is not yet on the CISA KEV list, the ease of exploitation for this flaw type presents a significant risk, and organizations should assume it will be targeted by attackers in the near future.