CVE-2026-22336

Directorist · Booking

The Directorist Booking plugin contains an SQL Injection vulnerability due to improper neutralization of special elements used in SQL commands.

Executive summary

A critical SQL injection vulnerability in the Directorist Booking plugin could allow remote attackers to manipulate database queries and potentially access sensitive information.

Vulnerability

This is an SQL Injection (SQLi) vulnerability occurring within the Booking component. Such flaws typically allow an attacker to bypass security controls and interact directly with the underlying database by injecting malicious SQL statements.

Business impact

Successful exploitation of this SQL injection vulnerability allows an attacker to read, modify, or delete data stored within the WordPress database. This could result in the theft of customer records, administrative credentials, or total loss of data availability. The CVSS score of 9.3 highlights the critical nature of this flaw regarding system confidentiality and integrity.

Remediation

Immediate Action: Update the Directorist Booking plugin to version 3.0.2 or later to apply the necessary input sanitization fixes.

Proactive Monitoring: Monitor database query logs for unusual patterns or syntax errors that suggest automated SQL injection attempts.

Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection protection rules to filter malicious payloads directed at the application.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

SQL injection is a high-impact vulnerability that requires immediate attention. Organizations should verify that all installations are updated to the patched version to prevent unauthorized database access.