CVE-2025-13138 is a SQL Injection vulnerability identified in the WP Directory Kit plugin for WordPress, specifically affecting all versions up to and including 1.4.3. The vulnerability is located in the select_2_ajax() function, where the 'columns_search' parameter is used directly in SQL queries without proper escaping or parameterization. This improper neutralization of special elements (CWE-89) allows an unauthenticated attacker to inject arbitrary SQL commands by manipulating the 'columns_search' input. Because the plugin fails to sanitize this user-supplied input adequately, attackers can append additional SQL statements to the existing query, potentially extracting sensitive information such as user data, credentials, or other confidential database contents. The vulnerability does not require any authentication or user interaction, increasing its risk profile. The CVSS 3.1 base score of 7.5 reflects the network attack vector, low attack complexity, no privileges required, no user interaction, and a high impact on confidentiality, with no impact on integrity or availability. Currently, no public exploits or active exploitation campaigns have been reported, but the vulnerability's presence in a popular WordPress plugin makes it a likely target for attackers once exploit code becomes available. The lack of an official patch at the time of disclosure means that affected sites remain vulnerable until mitigations or updates are applied.

For European organizations, this vulnerability poses a significant risk of unauthorized data disclosure from WordPress sites using the WP Directory Kit plugin. Sensitive customer information, internal data, or credentials stored in the database could be exposed, leading to privacy violations and regulatory non-compliance, particularly under GDPR. The ability for unauthenticated attackers to exploit this vulnerability remotely increases the attack surface, especially for public-facing websites. Data breaches resulting from this vulnerability could damage organizational reputation, incur financial penalties, and disrupt business operations. Additionally, attackers could use extracted data to facilitate further attacks such as phishing or lateral movement within networks. The impact is heightened for organizations relying heavily on WordPress for directory or listing services, common in sectors like real estate, local business directories, and professional services across Europe.

Immediate mitigation should focus on restricting access to vulnerable endpoints, such as limiting or blocking access to the select_2_ajax() function via web application firewalls (WAFs) or server-level rules. Implementing strict input validation and sanitization for the 'columns_search' parameter can reduce exploitation risk until an official patch is available. Organizations should monitor plugin updates closely and apply patches promptly once released by the vendor. Employing parameterized queries or prepared statements in custom code can prevent SQL injection. Regular security audits and vulnerability scanning of WordPress plugins are recommended to identify similar issues proactively. Additionally, logging and monitoring database queries and web traffic for anomalous patterns can help detect exploitation attempts early. Backup strategies should be reviewed to ensure rapid recovery in case of compromise.