Platform
wordpress
Component
directorist-booking
Fixed in
3.0.2
CVE-2026-22336 describes a SQL Injection vulnerability within the Directorist Booking plugin. This flaw allows attackers to inject arbitrary SQL code, potentially granting them unauthorized access to sensitive data and control over the database. The vulnerability impacts versions from 0.0.0 up to and including 3.0.2. A patch is available in version 3.0.2.
Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication and authorization mechanisms, gaining full access to the underlying database. This could lead to the exfiltration of sensitive user data, including personally identifiable information (PII), financial details, and booking information. Furthermore, an attacker could potentially modify or delete data, disrupt service availability, or even execute arbitrary commands on the server hosting the Directorist Booking plugin. The blast radius extends to any system relying on the compromised database for critical operations.
The vulnerability was published on 2026-04-27. Severity is currently assessed as CRITICAL (CVSS 9.3). There is no indication of this vulnerability being actively exploited in the wild at this time. Public proof-of-concept (POC) code may emerge, increasing the risk of exploitation. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-22336 is to immediately upgrade Directorist Booking to version 3.0.2 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and parameterized queries to sanitize user input before it is used in SQL statements. Web application firewalls (WAFs) configured with rules to detect and block SQL Injection attempts can also provide an additional layer of defense. After upgrading, verify the fix by attempting a SQL Injection payload through the vulnerable endpoint and confirming that it is properly sanitized.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22336 is a critical SQL Injection vulnerability affecting Directorist Booking versions 0.0.0–3.0.2, allowing attackers to inject malicious SQL code and potentially compromise the database.
You are affected if you are using Directorist Booking versions 0.0.0 through 3.0.2. Immediately check your plugin version and upgrade if necessary.
Upgrade Directorist Booking to version 3.0.2 or later. If immediate upgrade is not possible, implement input validation and parameterized queries as temporary mitigations.
There is currently no public evidence of CVE-2026-22336 being actively exploited, but the critical severity warrants immediate attention and remediation.
Refer to the official Directorist Booking website and WordPress plugin repository for the latest security advisory and update information regarding CVE-2026-22336.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.