CVE-2025-13138 Scanner

The WP Directory Kit is a plugin designed for use within WordPress that facilitates the creation of directory-based websites. It's used by web developers and business owners aiming to create directory listings, classifieds, and directory websites without extensive coding knowledge. The plugin integrates with WordPress to allow for customizations and expansions. It helps users populate directories with location-based listings, business reviews, and other directory-specific features. Due to its flexibility, the WP Directory Kit is employed in various industries and types of directory projects. Its user-friendly interface and comprehensive feature set make it a popular choice for non-technical users.

The SQL Injection vulnerability in the WP Directory Kit plugin arises from improper input sanitization in the 'columns_search' parameter of the 'select_2_ajax()' function. This flaw allows unauthenticated attackers to manipulate SQL queries executed by the plugin. The lack of sufficient escaping and preparation of SQL queries enables attackers to inject malicious SQL statements. This issue affects all plugin versions up to 1.4.3, making it possible to extract sensitive data from the WordPress database. Consequently, a vast amount of potentially sensitive user and site data could be exposed. Such vulnerabilities can lead to unauthorized data access, posing significant risks to site security and user privacy.

Technical exploitation of the SQL Injection vulnerability involves the manipulation of HTTP POST requests. By altering the 'columns_search' parameter of the 'select_2_ajax()' function, attackers can append additional SQL queries. This operation leverages a time-based blind SQL injection approach via a crafted statement that imposes a sleep delay, confirming the presence of a vulnerability. The crucial parameter lacks proper escaping, making it vulnerable to SQL statement modification. Additionally, the vulnerable component is part of an AJAX function that processes requests without authenticating the user. Therefore, it is susceptible to being exploited in web environments where the plugin is active and unpatched.

If this vulnerability is exploited, the consequences could include unauthorized access to sensitive database contents such as user credentials, emails, and other site data. The exposed data might allow attackers to compromise user accounts or manipulate site contents. Further impacts could involve data corruption or the defacing of website content. Attackers could leverage this data for further malicious activities, including phishing attacks or identity theft. Ultimately, exploitation would lead to a loss of user trust and potential damage to the site owner's reputation.

REFERENCES

• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpdirectorykit/wp-directory-kit-143-unauthenticated-sql-injection-via-select-2-ajax-function
• https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.3/application/controllers/Wdk_frontendajax.php#L546