The WP Directory Kit plugin for WordPress, widely used for directory listing functionalities, contains a critical SQL Injection vulnerability identified as CVE-2025-13089. This vulnerability exists in all versions up to and including 1.4.7 due to insufficient escaping and lack of proper parameterized queries for the 'hide_fields' and 'attr_search' input parameters. These parameters are directly incorporated into SQL queries without adequate sanitization, enabling an attacker to append arbitrary SQL commands. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely by unauthenticated attackers. The injection flaw allows attackers to extract sensitive information from the backend database, potentially exposing user data, credentials, or other confidential information. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The CVSS 3.1 base score of 7.5 reflects its high severity, with an attack vector over the network, low attack complexity, no privileges required, and no user interaction needed. Although no active exploits have been reported, the vulnerability poses a significant risk due to the common usage of WordPress and the plugin's functionality. No official patches or updates have been linked yet, emphasizing the need for immediate mitigation efforts by administrators.

The primary impact of CVE-2025-13089 is the unauthorized disclosure of sensitive data stored in the WordPress site's database. Attackers exploiting this vulnerability can retrieve confidential information such as user credentials, personal data, or business-sensitive content, leading to data breaches and privacy violations. Since the vulnerability does not affect data integrity or availability directly, the risk is mainly confidentiality loss. However, information disclosure can facilitate further attacks, including privilege escalation or lateral movement within the compromised environment. Organizations relying on WP Directory Kit for critical directory listings or business operations may suffer reputational damage, regulatory penalties, and operational disruptions if exploited. The ease of exploitation and lack of authentication requirements increase the likelihood of attacks, especially on publicly accessible WordPress sites. This threat is particularly concerning for organizations with sensitive customer data or those subject to data protection regulations.

To mitigate CVE-2025-13089, organizations should immediately audit their WordPress installations to identify the use of WP Directory Kit plugin versions up to 1.4.7. If an updated, patched version is released, apply it promptly. In the absence of an official patch, implement the following mitigations: 1) Employ a Web Application Firewall (WAF) with custom rules to detect and block SQL injection attempts targeting the 'hide_fields' and 'attr_search' parameters. 2) Disable or restrict access to the vulnerable plugin's features if feasible until a patch is available. 3) Use input validation and sanitization plugins or custom code to enforce strict parameter filtering on these inputs. 4) Limit database user permissions associated with WordPress to the minimum necessary to reduce potential data exposure. 5) Monitor logs for unusual query patterns or repeated failed attempts indicative of exploitation attempts. 6) Educate site administrators about the risk and encourage regular security assessments. These steps help reduce the attack surface and protect sensitive data while awaiting an official fix.