CVE-2025-13920
published 2026-01-24CVE-2025-13920: The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdk_public_action…
PriorityP278medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.67%
47.3th percentile
The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdk_public_action AJAX handler. This makes it possible for unauthenticated attackers to extract email addresses for users with Directory Kit-specific user roles.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpdirectorykit | wp_directory_kit | <= 1.4.9 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=wdk_public_action&page=wdk_frontendajax&function=select_2_ajax&table=user_m&print_column=user_email&key_column=ID↗
- →Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the body parameters: action=wdk_public_action, function=select_2_ajax, table=user_m, print_column=user_email ↗
- →A successful exploitation response will return HTTP 200 with Content-Type application/json and a body containing '"success":true', '"text"', and an '@' character (email address) ↗
- →Identify vulnerable WordPress installations by searching for the wpdirectorykit plugin path in page bodies ↗
- →The vulnerable AJAX handler is wdk_public_action; unauthenticated requests (no session/auth cookie required) to this handler with the select_2_ajax function can enumerate user emails ↗
- ·The vulnerability affects WP Directory Kit plugin versions up to and including 1.4.9; version 1.5.0 and above are not affected ↗
- ·Email exposure is limited to users with Directory Kit-specific user roles, not all WordPress users ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7wpw-5pc9-jh59: The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1
ghsa_unreviewed·2026-01-24
CVE-2025-13920 [MEDIUM] CWE-200 GHSA-7wpw-5pc9-jh59: The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1
The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdk_public_action AJAX handler. This makes it possible for unauthenticated attackers to extract email addresses for users with Directory Kit-specific user roles.
VulnCheck
wpdirectorykit wp_directory_kit Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2025·CVSS 5.3
CVE-2025-13920 [MEDIUM] wpdirectorykit wp_directory_kit Exposure of Sensitive Information to an Unauthorized Actor
wpdirectorykit wp_directory_kit Exposure of Sensitive Information to an Unauthorized Actor
The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdk_public_action AJAX handler. This makes it possible for unauthenticated attackers to extract email addresses for users with Directory Kit-specific user roles.
Affected: wpdirectorykit wp_directory_kit
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://tracker.crowdsec.net/cves/CVE-2025-13920
No detection rules found.
Nuclei
WP Directory Kit < 1.5.0 - Unauthenticated Email Exposure
nuclei·CVSS 5.3
CVE-2025-13920 [MEDIUM] WP Directory Kit < 1.5.0 - Unauthenticated Email Exposure
WP Directory Kit < 1.5.0 - Unauthenticated Email Exposure
WP Directory Kit plugin for WordPress <= 1.4.9 contains a sensitive information exposure caused by improper access control in wdk_public_action AJAX handler, letting unauthenticated attackers extract email addresses of users with Directory Kit-specific roles.
Template:
id: CVE-2025-13920
info:
name: WP Directory Kit < 1.5.0 - Unauthenticated Email Exposure
author: 0x_Akoko
severity: medium
description: |
WP Directory Kit plugin for WordPress <= 1.4.9 contains a sensitive information exposure caused by improper access control in wdk_public_action AJAX handler, letting unauthenticated attackers extract email addresses of users with Directory Kit-specific roles.
impact: |
Unauthenticated attackers can extract email addresses of use
2026-01-24
Published
Exploited in the wild