CVE-2025-13138 Overview
CVE-2025-13138 is a SQL Injection vulnerability [CWE-89] affecting the WP Directory Kit plugin for WordPress in all versions up to and including 1.4.3. The flaw resides in the columns_search parameter of the select_2_ajax() function. Insufficient escaping of user-supplied input and inadequate query preparation allow unauthenticated attackers to append arbitrary SQL clauses to existing database queries. Successful exploitation enables extraction of sensitive information from the WordPress database.
Critical Impact
Unauthenticated attackers can extract sensitive data — including user credentials, session tokens, and personally identifiable information — directly from the WordPress database over the network.
Affected Products
- WP Directory Kit plugin for WordPress, all versions through 1.4.3
- WordPress sites running the vulnerable wpdirectorykit plugin
- Any site exposing the select_2_ajax() AJAX endpoint to unauthenticated users
Discovery Timeline
- 2025-11-21 - CVE-2025-13138 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-13138
Vulnerability Analysis
The vulnerability exists in the select_2_ajax() function inside application/controllers/Wdk_frontendajax.php at line 546 of the WP Directory Kit plugin. This function accepts a columns_search parameter from AJAX requests and incorporates it into a SQL query without applying wpdb::prepare() or proper escaping routines such as esc_sql(). Because the endpoint is exposed via WordPress AJAX hooks accessible to unauthenticated users, any visitor can submit crafted requests. The injected SQL is concatenated into the existing query, allowing attackers to extend the WHERE clause or append UNION SELECT statements.
The Exploit Prediction Scoring System places this vulnerability in a high-probability tier for near-term exploitation attempts, consistent with the historical pattern of automated scanners targeting unauthenticated WordPress plugin SQL injection flaws.
Root Cause
The root cause is improper neutralization of special elements used in an SQL command [CWE-89]. The plugin developer trusted client-supplied column-search input and interpolated it directly into the SQL string. WordPress provides the $wpdb->prepare() API specifically to bind parameters safely, but this code path bypasses it.
Attack Vector
An unauthenticated attacker sends a crafted HTTP POST request to the WordPress admin-ajax.php endpoint targeting the vulnerable select_2_ajax action. The attacker supplies a malicious columns_search payload containing SQL syntax — for example, a UNION SELECT clause referencing the wp_users table — to exfiltrate password hashes, secret keys, or session data. Because exploitation requires no authentication or user interaction, mass exploitation by automated bots is the expected pattern. Refer to the Wordfence Vulnerability Report and the WordPress Plugin Code Review for the precise vulnerable code path.
Detection Methods for CVE-2025-13138
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php with an action parameter referencing the WP Directory Kit select_2_ajax handler
- HTTP request bodies containing SQL keywords such as UNION, SELECT, SLEEP(, INFORMATION_SCHEMA, or 0x hex sequences in the columns_search parameter
- Unusually large or slow responses from admin-ajax.php consistent with blind or time-based SQL injection
- Database query logs showing malformed SELECT statements originating from the plugin
Detection Strategies
- Inspect web server access logs for requests to admin-ajax.php containing the columns_search parameter with non-alphanumeric characters
- Enable WordPress query logging or MySQL general_log and alert on queries containing suspicious tautologies such as OR 1=1
- Deploy a Web Application Firewall rule that blocks SQL metacharacters in the columns_search field
Monitoring Recommendations
- Forward WordPress, web server, and database logs to a centralized analytics platform for correlation
- Alert on spikes in admin-ajax.php traffic volume or error rates originating from the WP Directory Kit action
- Monitor outbound database response sizes for anomalies indicative of bulk data extraction
How to Mitigate CVE-2025-13138
Immediate Actions Required
- Update the WP Directory Kit plugin to a version newer than 1.4.3 once the vendor releases a patched build
- Deactivate and remove the plugin if a patched version is not yet available and the directory functionality is non-essential
- Audit the wp_users, wp_usermeta, and wp_options tables for unauthorized access or modification
- Rotate WordPress secret keys in wp-config.php and force password resets for all administrator accounts
Patch Information
Review the WordPress Changeset History for the official remediation commit. Site administrators should verify the installed plugin version through the WordPress Plugin Overview and apply updates through the WordPress admin console.
Workarounds
- Restrict access to /wp-admin/admin-ajax.php from untrusted networks where feasible, or place the site behind an authenticating reverse proxy
- Deploy a WAF signature blocking SQL injection patterns targeting the columns_search POST parameter
- Enforce least-privilege on the MySQL account used by WordPress so the database user cannot read tables outside the WordPress schema
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
