A high-severity vulnerability has been identified in the WP Directory Kit plugin for WordPress, designated as CVE-2025-13138. This flaw allows an attacker to inject malicious database commands, potentially leading to the theft of sensitive information, unauthorized data modification, or disruption of website services. Organizations using this plugin are at significant risk of a data breach and should take immediate action to mitigate the threat.

The vulnerability is a SQL Injection flaw within the select_2_ajax() function of the WP Directory Kit plugin. An attacker can exploit this by sending a specially crafted request containing malicious SQL code within the columns_search parameter. Because the user-supplied input in this parameter is not properly sanitized before being used in a database query, the attacker's code is executed by the backend database, allowing them to read, modify, or delete sensitive data.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to severe business consequences, including the compromise of confidential data such as user credentials, personal identifiable information (PII), and customer data. This could result in significant financial loss, regulatory fines under data protection laws like GDPR or CCPA, and severe reputational damage. An attacker could also deface the website or disrupt business operations by altering or deleting database records.

Immediate Action: Immediately identify all WordPress instances running the vulnerable WP Directory Kit plugin and update it to the latest patched version provided by the vendor. If the plugin is no longer required for business operations, it should be deactivated and uninstalled completely as a precautionary measure.

Proactive Monitoring: Monitor web server and Web Application Firewall (WAF) logs for any requests targeting the select_2_ajax() function, specifically looking for suspicious patterns or SQL syntax within the columns_search parameter. Database logs should also be reviewed for unusual or unauthorized queries that could indicate a successful or attempted exploit.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attacks. Additionally, ensure the WordPress database user account operates with the principle of least privilege, limiting its permissions to only what is necessary for the application to function, thereby reducing the potential impact of a successful exploit.

Public Exploit Available: false

Given the high severity (CVSS 7.5) of this SQL injection vulnerability, we strongly recommend that organizations take immediate action. All WordPress sites using the WP Directory Kit plugin must be identified and patched without delay. Although this vulnerability is not currently listed on the CISA KEV list, its critical nature presents a significant risk that warrants urgent remediation to prevent potential data breaches and protect organizational assets.