Description
The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'search' parameter in all versions up to, and including, 1.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-12-02
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential exfiltration of database information via SQL injection
Action: Immediate patch
AI Analysis

Impact

The WP Directory Kit plugin for WordPress contains a classic SQL injection vulnerability arising from inadequate escaping of the 'search' parameter and the absence of prepared statements. This flaw permits an attacker who can authenticate as an Administrator or higher to append arbitrary SQL commands to the existing query. The result is that sensitive database content—such as user credentials, site content, or configuration data—can be exposed. The vulnerability does not grant code execution, but it directly compromises confidentiality by allowing read‑only data extraction.

Affected Systems

All installations of WP Directory Kit version 1.4.6 or earlier that are running on WordPress. Only users who legitimately hold Administrator or higher privileges within the WordPress instance can exploit the flaw, as authentication is required to access the vulnerable endpoint.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity. The EPSS score of less than 1% suggests that real‑world exploitation is unlikely at present, and the flaw is not listed in CISA KEV. Based on the description, it is inferred that the attack vector is a targeted web request sent to the plugin’s interface containing a crafted 'search' parameter. The attack would need an authenticated session; there are no known public exploits, but the injection path is straightforward for an attacker with the requisite credentials.

Generated by OpenCVE AI on April 21, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Directory Kit to a version that resolves the SQL injection issue (1.4.7 or later).
  • If an immediate update is not possible, deactivate the plugin for all administrator and higher‑level accounts until the patch is applied.
  • Implement a web application firewall or security plugin configured to block suspicious SQL injection patterns and verify that the 'search' endpoint is no longer vulnerable.

Generated by OpenCVE AI on April 21, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Dec 2025 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Listingthemes
Listingthemes wpdirectory Kit
Wordpress
Wordpress wordpress
Vendors & Products Listingthemes
Listingthemes wpdirectory Kit
Wordpress
Wordpress wordpress

Tue, 02 Dec 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Dec 2025 11:30:00 +0000

Type Values Removed Values Added
Description The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'search' parameter in all versions up to, and including, 1.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title WP Directory Kit <= 1.4.6 - Authenticated (Admin+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Listingthemes Wpdirectory Kit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:58.672Z

Reserved: 2025-11-12T20:07:21.330Z

Link: CVE-2025-13090

cve-icon Vulnrichment

Updated: 2025-12-02T13:51:33.965Z

cve-icon NVD

Status : Deferred

Published: 2025-12-02T12:16:18.280

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13090

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:00:11Z

Weaknesses