The WP Directory Kit plugin for WordPress, widely used to manage user directories with specialized roles, contains a vulnerability identified as CVE-2025-13920. This vulnerability arises from the wdk_public_action AJAX handler, which improperly exposes sensitive information—specifically, email addresses of users assigned Directory Kit-specific roles—to unauthenticated attackers. The flaw exists in all versions up to and including 1.4.9. Because the AJAX handler does not require authentication or user interaction, an attacker can remotely query this endpoint to harvest email addresses without any credentials. This constitutes a CWE-200 type vulnerability, indicating exposure of sensitive information to unauthorized actors. The CVSS v3.1 base score of 5.3 reflects a medium severity, driven by the network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact is limited to confidentiality (C:L), with no effect on integrity or availability. Although no exploits have been reported in the wild, the vulnerability poses a risk of enabling phishing campaigns or other social engineering attacks by leaking user contact information. The plugin’s widespread use in WordPress sites that maintain user directories with specialized roles increases the potential attack surface. The vulnerability was published on January 24, 2026, and no official patches or mitigations have been linked yet, necessitating proactive defensive measures.

For European organizations, the exposure of user email addresses can lead to increased phishing and spear-phishing attacks, potentially compromising user accounts or leading to credential theft. Organizations relying on WP Directory Kit for managing internal or external user directories may inadvertently leak sensitive contact information, undermining privacy compliance obligations such as GDPR. While the vulnerability does not directly affect system integrity or availability, the indirect consequences of successful phishing attacks could be severe, including unauthorized access, data breaches, and reputational damage. Public-facing WordPress sites with Directory Kit roles are particularly vulnerable, as attackers can easily enumerate email addresses without authentication. This risk is heightened in sectors with sensitive user data or critical communications, such as government, education, and healthcare institutions prevalent in Europe. The lack of known exploits in the wild suggests a window of opportunity for defenders to remediate before widespread abuse occurs.

Immediate mitigation steps include restricting access to the wdk_public_action AJAX handler by implementing server-side access controls such as IP whitelisting or authentication requirements. Web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting this endpoint. Organizations should monitor web server logs for unusual or repeated access attempts to the AJAX handler and alert on patterns indicative of enumeration. Until an official patch is released, disabling or removing the WP Directory Kit plugin may be necessary if the exposure risk outweighs its utility. Site administrators should also review user role assignments to minimize exposure of sensitive roles and consider obfuscating or limiting email address visibility in the directory. Once a patch is available, prompt updating of the plugin is critical. Additionally, educating users about phishing risks and implementing multi-factor authentication can reduce the impact of any compromised credentials resulting from this vulnerability.