cbcvebase.
CVE-2025-13920
published 2026-01-24

CVE-2025-13920: The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdk_public_action…

PriorityP278medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.67%
47.3th percentile
The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdk_public_action AJAX handler. This makes it possible for unauthenticated attackers to extract email addresses for users with Directory Kit-specific user roles.

Affected

1 ranges
VendorProductVersion rangeFixed in
wpdirectorykitwp_directory_kit<= 1.4.9

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=wdk_public_action&page=wdk_frontendajax&function=select_2_ajax&table=user_m&print_column=user_email&key_column=ID
path/wp-content/plugins/wpdirectorykit/
  • Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the body parameters: action=wdk_public_action, function=select_2_ajax, table=user_m, print_column=user_email
  • A successful exploitation response will return HTTP 200 with Content-Type application/json and a body containing '"success":true', '"text"', and an '@' character (email address)
  • Identify vulnerable WordPress installations by searching for the wpdirectorykit plugin path in page bodies
  • The vulnerable AJAX handler is wdk_public_action; unauthenticated requests (no session/auth cookie required) to this handler with the select_2_ajax function can enumerate user emails
  • ·The vulnerability affects WP Directory Kit plugin versions up to and including 1.4.9; version 1.5.0 and above are not affected
  • ·Email exposure is limited to users with Directory Kit-specific user roles, not all WordPress users

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.