Description
The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'hide_fields' and the 'attr_search' parameter in all versions up to, and including, 1.4.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-12-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Apply patch
AI Analysis

Impact

The WP Directory Kit plugin is vulnerable to SQL injection through the 'hide_fields' and 'attr_search' parameters, allowing an unauthenticated attacker to append malicious SQL to existing queries and retrieve sensitive database information. This vulnerability is a classic CWE‑89 input validation flaw that can compromise confidentiality of WordPress site data.

Affected Systems

WordPress sites running WP Directory Kit version 1.4.7 or earlier are affected. The plugin must be updated to a version that removes the vulnerable parameters or is removed entirely.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk, but the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not currently listed in CISA KEV. Attackers can exploit the flaw by sending crafted HTTP requests to the plugin’s endpoints with the vulnerable parameters, with no authentication required, to inject arbitrary SQL.

Generated by OpenCVE AI on April 21, 2026 at 00:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest WP Directory Kit release (1.4.8 or newer) which eliminates the insecure parameter handling.
  • If an immediate update is not possible, block or remove the 'hide_fields' and 'attr_search' parameters by sanitizing input or disabling the relevant functionality via a custom filter.
  • Implement or configure a web application firewall rule to detect and block requests containing suspicious SQL syntax targeting the WP Directory Kit plugin.

Generated by OpenCVE AI on April 21, 2026 at 00:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Listingthemes
Listingthemes wpdirectory Kit
Wordpress
Wordpress wordpress
Vendors & Products Listingthemes
Listingthemes wpdirectory Kit
Wordpress
Wordpress wordpress

Sat, 13 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'hide_fields' and the 'attr_search' parameter in all versions up to, and including, 1.4.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title WP Directory Kit <= 1.4.7 - Unauthenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Listingthemes Wpdirectory Kit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:54.025Z

Reserved: 2025-11-12T20:05:19.585Z

Link: CVE-2025-13089

cve-icon Vulnrichment

Updated: 2025-12-15T15:25:16.528Z

cve-icon NVD

Status : Deferred

Published: 2025-12-13T16:16:46.843

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13089

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:00:12Z

Weaknesses