CVE-2025-13090 is a SQL Injection vulnerability classified under CWE-89, found in the WP Directory Kit plugin for WordPress, affecting all versions up to and including 1.4.6. The vulnerability stems from insufficient escaping and lack of proper preparation of the 'search' parameter in SQL queries. Authenticated users with administrator privileges can exploit this flaw by injecting additional SQL commands into existing queries via the 'search' parameter. This injection enables attackers to extract sensitive information from the backend database, compromising confidentiality. The vulnerability does not affect data integrity or availability, and exploitation does not require user interaction but does require high privileges (administrator or above). The CVSS v3.1 score is 4.9 (medium), reflecting the network attack vector, low attack complexity, requirement for privileges, no user interaction, and impact limited to confidentiality. No patches or known exploits are currently available or reported. The vulnerability was publicly disclosed on December 2, 2025, by Wordfence. The plugin is used to manage directory listings within WordPress sites, which are widely deployed across various sectors. The lack of sufficient input sanitization and parameterized queries in the plugin's codebase is the root cause, making it vulnerable to SQL Injection attacks that can be leveraged to retrieve sensitive data from the database.

For European organizations, this vulnerability poses a risk primarily to the confidentiality of sensitive data stored in WordPress databases using the WP Directory Kit plugin. Attackers with administrator access can extract user data, credentials, or other confidential information, potentially leading to data breaches and regulatory non-compliance under GDPR. Although the vulnerability does not directly affect data integrity or availability, the exposure of sensitive information can damage organizational reputation and result in financial penalties. Organizations in sectors such as e-commerce, government, healthcare, and education that rely on WordPress with this plugin are particularly vulnerable. Since exploitation requires administrator privileges, the impact is mitigated if strict access controls and monitoring are in place. However, insider threats or compromised administrator accounts could be leveraged to exploit this vulnerability. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks once exploit code becomes available.

1. Monitor for and apply security updates or patches from the plugin vendor as soon as they become available. 2. Restrict administrator-level access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 3. Conduct regular audits of administrator accounts and review access logs for suspicious activity. 4. Implement Web Application Firewalls (WAFs) with custom rules to detect and block SQL Injection patterns targeting the 'search' parameter. 5. Where patching is not immediately possible, consider disabling or replacing the WP Directory Kit plugin with a more secure alternative. 6. Employ database-level protections such as limiting database user permissions to the minimum necessary. 7. Educate administrators on secure plugin usage and the risks of SQL Injection. 8. Perform regular vulnerability scans and penetration tests focusing on WordPress plugins to identify similar issues proactively.