The Directorist Booking plugin contains a critical blind SQL injection vulnerability that allows authenticated attackers to perform unauthorized database queries.

This flaw stems from insufficient neutralization of user-supplied input within the plugin's booking functionality. Authenticated users can execute blind SQL injection attacks, potentially leading to the extraction of sensitive data from the database.

With a CVSS score of 8.5, this vulnerability represents a high risk to business operations. Exploitation could result in the theft of proprietary business data, customer booking information, or other sensitive records, leading to significant reputational and operational damage.

Immediate Action: Update the Directorist Booking plugin to the latest patched version released by wpWax.

Proactive Monitoring: Review database access logs for unusual, high-frequency query patterns that may indicate automated data exfiltration attempts.

Compensating Controls: Implement WAF filtering to intercept and block SQL injection payloads targeting the application's booking endpoints.

Public Exploit Available: false

Administrators must treat this vulnerability with high urgency. Applying the provided vendor update is the only definitive way to remediate the flaw and protect against potential data exfiltration by authenticated users.