CVE-2025-13920 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the WP Directory Kit plugin for WordPress, specifically all versions up to and including 1.4.9. The flaw resides in the wdk_public_action AJAX handler, which can be invoked without authentication. This handler improperly exposes email addresses of users who have Directory Kit-specific roles, allowing unauthenticated attackers to enumerate and extract these email addresses. The vulnerability does not affect the integrity or availability of the system but compromises the confidentiality of user data. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the ease of exploitation (network accessible, no privileges or user interaction required) and the limited impact scope (only disclosure of email addresses). No patches or exploit code are currently publicly available, and no known active exploitation has been reported. The vulnerability was reserved in December 2025 and published in January 2026. The exposure of email addresses can facilitate further attacks such as phishing, spam campaigns, or social engineering targeted at users with elevated roles in the directory plugin. The plugin is used within WordPress environments, which are widely deployed globally, increasing the potential attack surface.

The primary impact of CVE-2025-13920 is the unauthorized disclosure of email addresses belonging to users with Directory Kit-specific roles. This leakage can lead to increased phishing and social engineering risks, potentially compromising user accounts or organizational security indirectly. While the vulnerability does not allow direct system compromise, the exposed information can be leveraged as a stepping stone for more sophisticated attacks. Organizations relying on WP Directory Kit for managing user directories may face reputational damage and user trust erosion if sensitive contact information is leaked. The scope of impact depends on the number of users assigned Directory Kit roles and the sensitivity of their email addresses. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely and at scale by automated tools, increasing the risk of mass data harvesting. However, the absence of known exploits in the wild and the medium CVSS score suggest the threat is moderate but should not be ignored.

To mitigate CVE-2025-13920, organizations should first verify if they are using WP Directory Kit versions up to 1.4.9 and plan to upgrade to a patched version once available. Until a patch is released, administrators should restrict access to the wdk_public_action AJAX handler by implementing web application firewall (WAF) rules that block unauthenticated requests to this endpoint. Additionally, applying strict access control policies to ensure only authorized users can invoke Directory Kit AJAX actions is critical. Monitoring web server logs for unusual or repeated access to the AJAX handler can help detect potential exploitation attempts. If feasible, disabling the Directory Kit plugin temporarily or limiting its functionality to trusted users can reduce exposure. Developers and site administrators should also review and harden other AJAX endpoints and user role assignments to minimize sensitive data exposure. Finally, educating users about phishing risks and encouraging strong email security practices will help mitigate downstream risks from leaked email addresses.