CVE-2025-13920 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the WP Directory Kit plugin for WordPress in all versions up to and including 1.4.9. The flaw resides in the wdk_public_action AJAX handler, which improperly exposes email addresses of users assigned Directory Kit-specific roles without requiring any authentication or user interaction. This means that an unauthenticated attacker can send crafted requests to this AJAX endpoint and retrieve sensitive user email information. The vulnerability has a CVSS 3.1 base score of 5.3, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is limited to confidentiality (C:L), with no impact on integrity or availability. No known exploits have been reported in the wild as of the publication date (January 24, 2026). The vulnerability is significant because email addresses can be leveraged for phishing campaigns, social engineering, or further targeted attacks against organizations using this plugin. The plugin is typically used to manage directories and user roles within WordPress sites, which are common in business, educational, and community websites. The lack of a patch or update at the time of reporting requires organizations to implement interim mitigations to protect sensitive user data.

For European organizations, the exposure of user email addresses can lead to increased risk of phishing attacks, spear-phishing, and social engineering, potentially compromising user accounts or internal systems if attackers leverage the harvested emails effectively. Organizations relying on WP Directory Kit for managing user directories or role-based access on WordPress sites may face reputational damage and loss of user trust if sensitive information is leaked. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach can be a stepping stone for more severe attacks. Given the widespread use of WordPress in Europe, especially in sectors like education, government, and SMEs, the impact could be significant if exploited at scale. The absence of authentication and user interaction requirements lowers the barrier for exploitation, increasing the threat surface. However, the lack of known exploits in the wild suggests limited immediate risk but does not preclude future exploitation.

European organizations should immediately audit their WordPress installations to identify if WP Directory Kit plugin versions up to 1.4.9 are in use. Until an official patch is released, organizations should restrict access to the wdk_public_action AJAX handler by implementing web application firewall (WAF) rules that block or limit requests to this endpoint from untrusted sources. Additionally, IP whitelisting or authentication enforcement on AJAX endpoints can reduce exposure. Monitoring web server logs for unusual or repeated requests to the AJAX handler can help detect attempted exploitation. Organizations should also review user roles assigned by the Directory Kit plugin and minimize the number of users with Directory Kit-specific roles to reduce the volume of exposed emails. Once a patch or update is available from the vendor, it should be applied promptly. Educating users about phishing risks and implementing email filtering solutions can mitigate the impact of any harvested email addresses being used in attacks.