A critical SQL injection vulnerability in the WP Directory Kit plugin for WordPress allows attackers to extract sensitive data from the site database.

The plugin fails to properly neutralize special characters in SQL commands, resulting in a Blind SQL Injection vulnerability. An attacker can craft malicious queries to extract database contents, including user credentials and configuration details.

With a CVSS score of 9.3, this flaw is highly dangerous. It allows for the unauthorized extraction of sensitive data, which could lead to a breach of user information, site compromise, or further attacks facilitated by the stolen data.

Immediate Action: Update the WP Directory Kit plugin to the latest version.

Proactive Monitoring: Monitor database query logs for suspicious patterns or anomalous error messages indicative of SQL injection attempts.

Compensating Controls: Use a Web Application Firewall (WAF) to detect and block malicious SQL injection payloads targeting WordPress plugins.

Public Exploit Available: No

Administrators should update this plugin immediately. Given the nature of SQL injection, organizations should also review their database for signs of unauthorized access or data exfiltration following the discovery of this vulnerability.