CVE-2025-13090 is an SQL Injection vulnerability identified in the WP Directory Kit plugin for WordPress, affecting all versions up to and including 1.4.6. The vulnerability stems from insufficient escaping and lack of proper query preparation on the 'search' parameter, which is user-supplied. This improper neutralization of special elements in SQL commands (CWE-89) allows an attacker with Administrator-level access or higher to append arbitrary SQL code to existing queries. The attack vector is network-based (AV:N), with low attack complexity (AC:L), but requires high privileges (PR:H) and no user interaction (UI:N). The scope is unchanged (S:U), and the impact affects confidentiality (C:H) but not integrity (I:N) or availability (A:N). Exploiting this vulnerability could enable an attacker to extract sensitive information from the WordPress database, such as user credentials, configuration data, or other protected content. Although no public exploits have been reported, the vulnerability poses a risk in environments where multiple administrators exist or where administrator credentials may be compromised. The lack of patches at the time of disclosure necessitates immediate mitigation efforts by affected organizations.

The primary impact of CVE-2025-13090 is the unauthorized disclosure of sensitive information stored in the WordPress database. Since the vulnerability requires Administrator-level privileges, the risk is somewhat contained within trusted users; however, if an attacker gains or compromises such credentials, they can leverage this flaw to extract confidential data. This can lead to data breaches involving user information, site configuration, and potentially other sensitive content managed by the plugin. The vulnerability does not affect data integrity or availability, so it does not allow data modification or denial of service. Organizations relying on WP Directory Kit for directory listings or similar functionality may face compliance and reputational risks if sensitive data is exposed. The medium CVSS score reflects the balance between the severity of data exposure and the high privilege requirement. The absence of known exploits reduces immediate threat but does not eliminate future risk, especially in environments with multiple administrators or weak credential management.

1. Restrict Administrator Access: Limit the number of users with Administrator-level privileges to the minimum necessary and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 2. Monitor Database Queries: Implement logging and monitoring of SQL queries executed by the WP Directory Kit plugin to detect anomalous or unexpected query patterns that may indicate exploitation attempts. 3. Use Web Application Firewalls (WAF): Deploy a WAF with custom rules to detect and block SQL injection attempts targeting the 'search' parameter of the plugin. 4. Isolate Plugin Usage: If possible, isolate the WP Directory Kit plugin in a staging environment or sandbox until a patch is released. 5. Regularly Update and Patch: Monitor vendor announcements for patches or updates addressing this vulnerability and apply them promptly once available. 6. Conduct Security Audits: Perform code reviews and penetration testing focused on plugin inputs and database interactions to identify and remediate similar vulnerabilities proactively. 7. Backup Data: Maintain regular backups of WordPress databases and files to enable recovery in case of compromise. These steps go beyond generic advice by focusing on privilege management, monitoring, and proactive isolation until a fix is available.