Description
The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdk_public_action AJAX handler. This makes it possible for unauthenticated attackers to extract email addresses for users with Directory Kit-specific user roles.
Published: 2026-01-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Apply Update
AI Analysis

Impact

The WP Directory Kit plugin for WordPress is affected by a Sensitive Information Exposure flaw that allows an unauthenticated attacker to retrieve email addresses associated with Directory Kit-specific user roles through the AJAX handler wdk_public_action. This functionality can expose personally identifiable information without any authentication context.

Affected Systems

All WordPress sites running WP Directory Kit version 1.4.9 or earlier are impacted, regardless of other plugins or themes. The vulnerability arises from the AJAX endpoint wdk_public_action within the plugin.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while an EPSS score below 1% reflects a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, suggesting it is not a known target of active exploit campaigns. Attackers would need only to send a crafted AJAX request to the vulnerable endpoint, which is publicly accessible, but there is no known active exploit or exploitation evidence at this time.

Generated by OpenCVE AI on April 22, 2026 at 06:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest WP Directory Kit update to address the unchecked data exposure; the exact patch version is not specified in the CVE data, so refer to the vendor’s update notes for the fix.
  • If an update is not possible, restrict the wdk_public_action endpoint to authenticated users to eliminate the exposure.
  • Monitor for suspicious AJAX requests and enforce firewall rules to block access to wdk_public_action, mitigating possible exposure.

Generated by OpenCVE AI on April 22, 2026 at 06:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdirectorykit
Wpdirectorykit wp Directory Kit
Vendors & Products Wordpress
Wordpress wordpress
Wpdirectorykit
Wpdirectorykit wp Directory Kit

Sat, 24 Jan 2026 12:45:00 +0000

Type Values Removed Values Added
Description The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdk_public_action AJAX handler. This makes it possible for unauthenticated attackers to extract email addresses for users with Directory Kit-specific user roles.
Title WP Directory Kit <= 1.4.9 - Unauthenticated Email Exposure via wdk_public_action
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpdirectorykit Wp Directory Kit
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:24.187Z

Reserved: 2025-12-02T18:58:08.690Z

Link: CVE-2025-13920

cve-icon Vulnrichment

Updated: 2026-01-26T15:34:00.235Z

cve-icon NVD

Status : Deferred

Published: 2026-01-24T13:15:54.013

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13920

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses