SQL Injection Vulnerability in wpWax Directorist Booking Plugin
CVE-2026-49073

8.5HIGH

Key Information:

Vendor

WordPress
Status
Directorist Booking
Vendor
CVE Published:
16 June 2026

What is CVE-2026-49073?

The wpWax Directorist Booking plugin contains a vulnerability that allows for Blind SQL Injection attacks. This occurs due to improper neutralization of special elements in SQL commands, potentially enabling attackers to manipulate database queries and extract sensitive data. All versions from not applicable to 3.0.3 are at risk. It's crucial for users to take preventive measures by updating to the latest version and implementing additional security practices.

Affected Version(s)

Directorist Booking <= 3.0.3

References

https://patchstack.com/database/wordpress/plugin/director...
vdb-entry

CVSS V3.1

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

dutafi | Patchstack Bug Bounty Program
.