CVE-2025-13090 is a SQL Injection vulnerability classified under CWE-89 found in the WP Directory Kit plugin for WordPress, affecting all versions up to and including 1.4.6. The vulnerability stems from insufficient escaping and lack of proper preparation of the 'search' parameter in SQL queries, which allows authenticated users with administrator privileges or higher to append malicious SQL commands to existing queries. This improper neutralization of special characters enables attackers to extract sensitive information from the backend database, such as user credentials, configuration data, or other confidential content stored within the WordPress environment. The vulnerability requires no user interaction but does require high-level privileges, limiting exploitation to insiders or compromised admin accounts. The CVSS v3.1 score is 4.9 (medium severity), reflecting network attack vector, low attack complexity, required privileges at the high level, no user interaction, and high impact on confidentiality but no impact on integrity or availability. There are currently no known exploits in the wild, and no official patches have been linked yet. The vulnerability was publicly disclosed on December 2, 2025, with the Wordfence team as the assigner. Given the widespread use of WordPress and the popularity of directory listing plugins, this vulnerability poses a risk to websites relying on WP Directory Kit for directory management and listings.

For European organizations, the primary impact of CVE-2025-13090 is the potential unauthorized disclosure of sensitive data stored in WordPress databases. This can include personal data protected under GDPR, such as user information, contact details, or business-sensitive content. Exposure of such data could lead to regulatory penalties, reputational damage, and loss of customer trust. Since exploitation requires administrator-level access, the threat is particularly significant in environments where admin credentials are shared, weakly protected, or where insider threats exist. The vulnerability does not allow modification or deletion of data, nor does it cause denial of service, limiting the scope to confidentiality breaches. However, the ability to extract sensitive data can be leveraged for further attacks, such as privilege escalation or lateral movement within the network. European organizations with public-facing WordPress sites using this plugin are at risk, especially those in sectors handling sensitive personal or financial data. The lack of known exploits reduces immediate risk but should not lead to complacency given the ease of exploitation once admin access is obtained.

1. Immediately restrict administrator access to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2. Monitor and audit administrator activities and database queries for unusual patterns that may indicate exploitation attempts. 3. Deploy a Web Application Firewall (WAF) with SQL Injection detection and prevention capabilities tailored to WordPress environments to block malicious payloads targeting the 'search' parameter. 4. Until an official patch is released, consider disabling or removing the WP Directory Kit plugin if it is not essential, or restrict its usage to non-administrative contexts where possible. 5. Implement principle of least privilege for WordPress roles to minimize the number of users with administrator-level access. 6. Regularly update WordPress core, plugins, and themes to incorporate security fixes promptly once available. 7. Conduct internal penetration testing focusing on SQL Injection vectors in WordPress plugins to identify similar vulnerabilities proactively. 8. Educate administrators about the risks of SQL Injection and the importance of secure coding and parameter handling in custom plugins or themes.