CVE-2025-13920 Overview
CVE-2025-13920 is a Sensitive Information Exposure vulnerability affecting the WP Directory Kit plugin for WordPress. All versions up to and including 1.4.9 are vulnerable through an improperly secured AJAX handler. This vulnerability allows unauthenticated attackers to extract email addresses belonging to users with Directory Kit-specific user roles, potentially enabling further targeted attacks such as phishing campaigns or credential stuffing.
Critical Impact
Unauthenticated attackers can harvest user email addresses from WordPress sites running vulnerable versions of WP Directory Kit, exposing directory members to spam, phishing, and social engineering attacks.
Affected Products
- WP Directory Kit plugin for WordPress versions up to and including 1.4.9
Discovery Timeline
- 2026-01-24 - CVE CVE-2025-13920 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-13920
Vulnerability Analysis
This vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw resides in the wdk_public_action AJAX handler within the WP Directory Kit plugin. The handler fails to implement proper authentication checks, allowing any unauthenticated user to invoke the endpoint and retrieve sensitive user data.
WordPress AJAX handlers typically require nonce verification and capability checks to prevent unauthorized access. In this case, the vulnerable handler exposes email addresses associated with Directory Kit-specific user roles without validating that the requester has appropriate permissions. This information disclosure can serve as a reconnaissance vector for attackers building target lists for subsequent attacks.
Root Cause
The root cause of this vulnerability is insufficient access control implementation in the wdk_public_action AJAX handler. The handler processes requests without verifying user authentication status or validating nonces, enabling any remote attacker to query the endpoint and extract user email addresses. This represents a failure to follow WordPress security best practices for AJAX endpoint protection.
Attack Vector
The vulnerability is exploitable over the network without authentication. An attacker can craft HTTP requests to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the wdk_public_action action parameter. The server responds with user email data without requiring any credentials or session tokens.
The attack can be executed through simple HTTP requests:
- Attacker identifies a WordPress site running WP Directory Kit plugin
- Attacker sends a crafted POST or GET request to the AJAX endpoint
- The vulnerable handler returns email addresses of users with Directory Kit roles
- Attacker collects this data for use in phishing campaigns or further attacks
For technical details on the vulnerability mechanics, refer to the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-13920
Indicators of Compromise
- Unusual volume of requests to /wp-admin/admin-ajax.php with action=wdk_public_action parameter
- Multiple AJAX requests from the same IP address in rapid succession targeting the vulnerable endpoint
- Access log entries showing unauthenticated requests to the AJAX handler returning successful responses
- Spike in email-based attacks targeting users registered in your WordPress directory
Detection Strategies
- Monitor WordPress access logs for requests containing wdk_public_action from unauthenticated users
- Implement Web Application Firewall (WAF) rules to detect and alert on suspicious AJAX requests to the WP Directory Kit endpoints
- Review server logs for enumeration patterns indicating automated scraping attempts
- Configure intrusion detection systems to flag bulk requests to the WordPress admin-ajax endpoint
Monitoring Recommendations
- Enable detailed logging for all AJAX requests to WordPress installations
- Set up automated alerts for abnormal traffic patterns to the admin-ajax.php endpoint
- Regularly audit user email exposure by testing the vulnerable endpoint before and after patching
- Monitor for reports of phishing or spam targeting your directory users
How to Mitigate CVE-2025-13920
Immediate Actions Required
- Update WP Directory Kit plugin to the latest patched version immediately
- Review WordPress access logs for evidence of exploitation
- Consider temporarily disabling the WP Directory Kit plugin until updates can be applied
- Notify directory users about potential email exposure and advise vigilance against phishing
Patch Information
A security patch is available through the official WordPress plugin repository. The fix has been documented in the WordPress Plugin Changeset. Site administrators should update to a version newer than 1.4.9 to remediate this vulnerability.
To update the plugin:
- Navigate to the WordPress admin dashboard
- Go to Plugins → Installed Plugins
- Locate WP Directory Kit and click "Update Now"
- Verify the updated version is higher than 1.4.9
Workarounds
- Temporarily disable the WP Directory Kit plugin if immediate patching is not possible
- Implement WAF rules to block unauthenticated requests to the wdk_public_action AJAX action
- Restrict access to admin-ajax.php for specific actions using server-level configuration
- Use a security plugin like Wordfence to add additional access controls to AJAX endpoints
# Example .htaccess rule to restrict wdk_public_action (temporary workaround)
# Add to WordPress root .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^.*admin-ajax\.php$
RewriteCond %{QUERY_STRING} action=wdk_public_action [NC,OR]
RewriteCond %{REQUEST_BODY} action=wdk_public_action [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
