CVE-2023-2201 in Web Directory Free Plugin
Summary
by MITRE • 06/02/2023
The Web Directory Free for WordPress is vulnerable to SQL Injection via the ‘post_id’ parameter in versions up to, and including, 1.6.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/09/2026
The vulnerability identified as CVE-2023-2201 affects the Web Directory Free plugin for WordPress, a widely used directory management solution that allows users to create and manage business listings within WordPress environments. This particular flaw represents a critical security weakness that undermines the integrity of database operations within the affected plugin ecosystem. The vulnerability exists in versions up to and including 1.6.8, making a substantial portion of WordPress directory installations susceptible to exploitation by malicious actors who possess contributor-level privileges. The issue stems from inadequate input validation and sanitization practices within the plugin's codebase, specifically concerning how the post_id parameter is processed during database interactions.
The technical implementation of this SQL injection vulnerability occurs through insufficient escaping of user-supplied parameters within the plugin's database query construction logic. When an authenticated attacker with contributor privileges submits a malicious post_id value, the plugin fails to properly sanitize or parameterize this input before incorporating it into existing SQL queries. This lack of proper input handling creates an opportunity for attackers to manipulate the intended database operations by injecting additional SQL commands into the existing query structure. The vulnerability manifests as a classic SQL injection attack vector where the attacker can append malicious SQL fragments to the original query, potentially gaining unauthorized access to sensitive database information.
The operational impact of this vulnerability extends beyond simple data extraction, as it provides authenticated attackers with the capability to perform unauthorized database operations that could compromise the entire WordPress installation. Contributors typically have limited capabilities within WordPress, including the ability to create and edit posts, but this vulnerability allows them to escalate their privileges through database manipulation. Attackers could potentially extract user credentials, administrative information, configuration details, or other sensitive data stored within the WordPress database. The vulnerability's exploitation requires minimal privileges but can result in significant damage to the site's security posture and potentially lead to full system compromise if combined with other vulnerabilities.
Mitigation strategies for CVE-2023-2201 should prioritize immediate plugin updates to versions that address the SQL injection flaw, as this represents the most effective defense against the vulnerability. Organizations should implement strict input validation and parameterization practices for all user-supplied data, ensuring that database queries properly escape or parameterize all external inputs. The vulnerability aligns with CWE-89, which specifically addresses SQL injection weaknesses in software systems, and follows common attack patterns documented in the MITRE ATT&CK framework under the database operations category. Security teams should also consider implementing network-level protections such as web application firewalls and database activity monitoring to detect and prevent exploitation attempts. Additionally, regular security audits of WordPress plugins and themes should be conducted to identify and remediate similar vulnerabilities before they can be exploited by malicious actors.