CVE-2026-22336
Directorist · Booking
The Directorist Booking plugin contains an SQL Injection vulnerability due to improper neutralization of special elements used in SQL commands.
Executive summary
A critical SQL injection vulnerability in the Directorist Booking plugin could allow remote attackers to manipulate database queries and potentially access sensitive information.
Vulnerability
This is an SQL Injection (SQLi) vulnerability occurring within the Booking component. Such flaws typically allow an attacker to bypass security controls and interact directly with the underlying database by injecting malicious SQL statements.
Business impact
Successful exploitation of this SQL injection vulnerability allows an attacker to read, modify, or delete data stored within the WordPress database. This could result in the theft of customer records, administrative credentials, or total loss of data availability. The CVSS score of 9.3 highlights the critical nature of this flaw regarding system confidentiality and integrity.
Remediation
Immediate Action: Update the Directorist Booking plugin to version 3.0.2 or later to apply the necessary input sanitization fixes.
Proactive Monitoring: Monitor database query logs for unusual patterns or syntax errors that suggest automated SQL injection attempts.
Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection protection rules to filter malicious payloads directed at the application.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
SQL injection is a high-impact vulnerability that requires immediate attention. Organizations should verify that all installations are updated to the patched version to prevent unauthorized database access.