Description
The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'order_by' parameter in all versions up to, and including, 1.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-11-27
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting via the order_by parameter
Action: Apply Patch
AI Analysis

Impact

The WP Directory Kit plugin for WordPress contains an input handling flaw in the order_by query parameter that is not properly sanitized or escaped when rendering the page. This flaw enables an unauthenticated attacker to craft a request that includes JavaScript code, causing that code to be reflected back to the visitor's browser when the page loads. An injected script can then perform actions such as stealing session cookies, defacing the site, or redirecting users to malicious destinations.

Affected Systems

The flaw exists in all releases of the WP Directory Kit WordPress plugin from its earliest versions through 1.4.5 inclusive. Any WordPress installation that has the plugin installed and active below 1.4.6 is vulnerable. Sites using a newer version or that have removed the plugin are not affected.

Risk and Exploitability

The CVSS score for this vulnerability is 6.1, indicating a medium severity. The EPSS score is reported as less than 1%, suggesting a very low probability of observed exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to entice a user to visit a crafted URL, a typical XSS attack vector. While the impact does not compromise the server itself, it can lead to credential theft or defacement, posing a significant risk to site owners and visitors.

Generated by OpenCVE AI on April 22, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Directory Kit plugin to the latest available version that includes the XSS fix (any release newer than 1.4.5).
  • If an update is not yet available, temporarily deactivate or remove the plugin to eliminate the vulnerable code path.
  • Apply a web application firewall rule or Content Security Policy that blocks inline script execution from the affected parameter to mitigate the risk until the plugin is updated.

Generated by OpenCVE AI on April 22, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 28 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Nov 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Listingthemes
Listingthemes wpdirectory Kit
Wordpress
Wordpress wordpress
Vendors & Products Listingthemes
Listingthemes wpdirectory Kit
Wordpress
Wordpress wordpress

Thu, 27 Nov 2025 05:45:00 +0000

Type Values Removed Values Added
Description The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'order_by' parameter in all versions up to, and including, 1.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title WP Directory Kit <= 1.4.5 - Reflected Cross-Site Scripting via 'order_by' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Listingthemes Wpdirectory Kit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:37.397Z

Reserved: 2025-11-21T19:45:44.250Z

Link: CVE-2025-13525

cve-icon Vulnrichment

Updated: 2025-11-28T16:21:35.176Z

cve-icon NVD

Status : Deferred

Published: 2025-11-27T06:15:46.830

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13525

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:30:22Z

Weaknesses