CVE-2025-13090 Overview
CVE-2025-13090 is a SQL Injection vulnerability affecting the WP Directory Kit plugin for WordPress. The vulnerability exists in all versions up to, and including, 1.4.6 due to insufficient escaping on the user-supplied search parameter and lack of sufficient preparation on the existing SQL query. This flaw allows authenticated attackers with Administrator-level access and above to append additional SQL queries into already existing queries, enabling the extraction of sensitive information from the database.
Critical Impact
Authenticated attackers with Administrator privileges can exploit this SQL Injection vulnerability to extract sensitive information from the WordPress database, potentially compromising user credentials, personal data, and other confidential information stored within the site.
Affected Products
- WP Directory Kit WordPress Plugin versions up to and including 1.4.6
- WordPress installations using vulnerable WP Directory Kit versions
Discovery Timeline
- 2025-12-02 - CVE-2025-13090 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-13090
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89: Improper Neutralization of Special Elements used in an SQL Command) exists within the WP Directory Kit plugin's search functionality. The vulnerability has been assigned a CVSS 3.1 score of 4.9 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N.
The CVSS metrics indicate:
- Attack Vector (AV): Network - The vulnerability is exploitable remotely
- Attack Complexity (AC): Low - No special conditions are required
- Privileges Required (PR): High - Administrator-level access is needed
- User Interaction (UI): None - No user interaction is required
- Scope (S): Unchanged - The vulnerability affects only the vulnerable component
- Confidentiality (C): High - Complete disclosure of database information is possible
- Integrity (I): None - No modification of data
- Availability (A): None - No impact on system availability
The EPSS (Exploit Prediction Scoring System) probability is 0.03% (7.843 percentile), indicating a relatively low likelihood of exploitation in the wild.
Root Cause
The root cause of this vulnerability is insufficient input sanitization and improper use of SQL query preparation. The search parameter accepts user-supplied input that is not properly escaped before being incorporated into SQL queries. WordPress provides the $wpdb->prepare() method for creating safe, parameterized queries, but this protective measure was either missing or improperly implemented in the affected code paths.
Attack Vector
The attack requires authenticated access with Administrator-level privileges. An attacker with such access can manipulate the search parameter to inject malicious SQL commands. Since the vulnerability is network-accessible and requires no user interaction, a compromised or malicious administrator account could leverage this flaw to:
- Extract sensitive user information including usernames, email addresses, and password hashes
- Access plugin and theme configuration data
- Retrieve any data stored in the WordPress database
- Potentially enumerate database structure for further attacks
The vulnerability allows data extraction but does not permit modification or deletion of database records based on the CVSS metrics provided.
Detection Methods for CVE-2025-13090
Indicators of Compromise
- Unusual or malformed requests to WP Directory Kit search functionality containing SQL syntax characters
- Database query logs showing unexpected UNION SELECT, ORDER BY, or other SQL injection patterns
- Abnormal data extraction patterns or large query result sets
- Failed or suspicious SQL queries in WordPress debug logs
- Increased database load from search-related queries
Detection Strategies
Organizations should implement the following detection strategies:
Web Application Firewall (WAF) Rules: Deploy rules to detect and block SQL injection patterns in the search parameter, including common payloads like ' OR '1'='1, UNION SELECT, and stacked queries.
Database Query Monitoring: Monitor WordPress database queries for anomalous patterns, particularly those originating from the WP Directory Kit plugin's search functionality.
Log Analysis: Review WordPress and web server access logs for requests containing SQL injection signatures targeting the plugin's endpoints.
Plugin Version Auditing: Regularly audit installed WordPress plugins to identify vulnerable versions of WP Directory Kit.
Monitoring Recommendations
Security teams should establish continuous monitoring for:
- Access log entries with SQL metacharacters in search parameters
- Failed authentication attempts followed by search functionality abuse
- Database error messages that may indicate SQL injection attempts
- Administrator account activity, particularly involving the WP Directory Kit plugin
- Changes to database tables that could indicate successful exploitation
How to Mitigate CVE-2025-13090
Immediate Actions Required
- Update WP Directory Kit plugin to a version newer than 1.4.6 that addresses this vulnerability
- Review administrator account access and ensure only trusted users have administrator privileges
- Implement a Web Application Firewall (WAF) with SQL injection protection rules
- Enable WordPress database query logging to monitor for suspicious activity
- Audit recent administrator activity for signs of exploitation
Patch Information
The vulnerability has been addressed in updated versions of the WP Directory Kit plugin. Security patches are available via the WordPress Plugin Repository:
Additional vulnerability intelligence is available from Wordfence.
Workarounds
If immediate patching is not possible, implement the following temporary mitigations:
Restrict Administrator Access: Limit administrator accounts to only essential, trusted personnel until the patch can be applied.
WAF Configuration: Configure your web application firewall to filter SQL injection patterns in requests to the WP Directory Kit plugin.
Network Segmentation: Restrict access to WordPress administrative functions to trusted IP addresses or VPN connections.
Disable Plugin: As a last resort, temporarily disable the WP Directory Kit plugin until a patched version can be deployed.
# Disable WP Directory Kit plugin via WP-CLI
wp plugin deactivate wpdirectorykit
# Verify plugin is disabled
wp plugin list --status=inactive | grep wpdirectorykit
# When patched version is available, update and reactivate
wp plugin update wpdirectorykit
wp plugin activate wpdirectorykit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
