CVE-2025-13089 identifies a critical SQL Injection vulnerability in the WP Directory Kit plugin for WordPress, versions up to and including 1.4.7. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89), specifically in the 'hide_fields' and 'attr_search' parameters. These parameters do not undergo sufficient escaping or prepared statement handling, allowing an attacker to append arbitrary SQL queries to existing database queries. This flaw enables unauthenticated attackers to extract sensitive information from the backend database, such as user data or configuration details, without requiring any privileges or user interaction. The vulnerability has a CVSS v3.1 score of 7.5, reflecting its high severity due to network exploitability, no authentication needed, and high confidentiality impact. Although no public exploits have been reported yet, the widespread use of WordPress and the plugin's presence in many sites make this a critical risk. The lack of available patches at the time of disclosure necessitates immediate defensive measures. The vulnerability does not affect data integrity or availability but poses a serious confidentiality breach risk. The plugin's SQL queries should be rewritten to use parameterized statements and proper input validation to remediate the issue.

For European organizations, exploitation of this vulnerability could lead to unauthorized disclosure of sensitive data stored in WordPress databases, including user credentials, personal information, or business-critical data. This can result in data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and potential financial penalties. Since the vulnerability requires no authentication and no user interaction, attackers can remotely exploit it at scale, increasing the risk of widespread data leakage. Organizations relying on WP Directory Kit for directory listings or business data exposure are particularly vulnerable. The impact is primarily on confidentiality, with no direct effect on data integrity or site availability. However, leaked data could be leveraged for further attacks such as phishing or privilege escalation. The risk is amplified in sectors with strict data protection requirements, such as finance, healthcare, and government institutions within Europe.

Immediate mitigation steps include disabling the WP Directory Kit plugin until a secure patched version is released. If disabling is not feasible, organizations should implement web application firewall (WAF) rules to detect and block suspicious SQL injection payloads targeting the 'hide_fields' and 'attr_search' parameters. Monitoring web server logs for unusual query patterns can help identify attempted exploitation. Developers should update the plugin code to use parameterized queries or prepared statements and ensure proper input validation and escaping for all user-supplied parameters. Regular vulnerability scanning and penetration testing should be conducted to detect similar injection flaws. Organizations should also maintain up-to-date backups to mitigate potential data loss from related attacks. Finally, educating site administrators about the risks and signs of SQL injection attacks can improve early detection and response.