CVE-2025-13138
published 2025-11-21CVE-2025-13138: The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'columns_search' parameter of the select_2_ajax() function in all versions up…
PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.42%
69.5th percentile
The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'columns_search' parameter of the select_2_ajax() function in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpdirectorykit | wp_directory_kit | <= 1.4.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
hash4b0a004830460221008b9bf3f7a4da24d34d8fdbfa8c1e49aa6744529c4cad94c7478f2e367ee4105e022100cbb4b14f771a7b62e7cfc4229ebc4ef9bb7fb5d38393d708393fdc3682363209
- →Monitor HTTP requests targeting the 'columns_search' parameter of the select_2_ajax() function in the WP Directory Kit plugin for WordPress. Unauthenticated requests (no session/auth required) returning HTTP 200 with a body containing 'success' are indicative of successful SQL injection exploitation. ↗
- →The vulnerability is exploitable by unauthenticated attackers — no credentials or session tokens are required. Prioritize detection on unauthenticated requests to AJAX endpoints containing 'columns_search' parameter values with SQL metacharacters (e.g., quotes, UNION, SELECT keywords). ↗
- →The nuclei-style detection rule checks for status_code == 200 AND body containing 'success' as confirmation of a successful blind/error-based SQLi response from the WP Directory Kit plugin endpoint.
- ·All versions of WP Directory Kit up to and including 1.4.3 are affected. Ensure version checks in detection rules are scoped to <= 1.4.3. ↗
- ·The nuclei rule digest (922c64590222798bb761d5b6d8e72950) can be used to verify rule integrity and track the specific template version used for detection.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WP Directory Kit <= 1.4.3 - Unauthenticated SQL Injection
nuclei·CVSS 7.5
CVE-2025-13138 [HIGH] WP Directory Kit <= 1.4.3 - Unauthenticated SQL Injection
WP Directory Kit =7'
- 'status_code == 200'
- 'contains(body, "success")'
condition: and
# digest: 4b0a004830460221008b9bf3f7a4da24d34d8fdbfa8c1e49aa6744529c4cad94c7478f2e367ee4105e022100cbb4b14f771a7b62e7cfc4229ebc4ef9bb7fb5d38393d708393fdc3682363209:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.3/application/controllers/Wdk_frontendajax.php#L546https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396348%40wpdirectorykit&new=3396348%40wpdirectorykit&sfp_email=&sfph_mail=https://wordpress.org/plugins/wpdirectorykit/https://www.wordfence.com/threat-intel/vulnerabilities/id/0cad8c48-5c96-484c-acda-b33d8d8d10d3?source=cve
2025-11-21
Published