{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13525", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-21T19:45:44.250Z", "datePublished": "2025-11-27T05:31:56.673Z", "dateUpdated": "2026-04-08T16:32:37.397Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:37.397Z"}, "affected": [{"vendor": "wpdirectorykit", "product": "WP Directory Kit", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'order_by' parameter in all versions up to, and including, 1.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "WP Directory Kit <= 1.4.5 - Reflected Cross-Site Scripting via 'order_by' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/01cd3631-93fb-4016-baa4-8ea11b21acec?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.4/application/views/wdk_messages/index.php#L38"}, {"url": "https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.4/application/views/wdk_messages/index.php#L39"}, {"url": "https://wordpress.org/plugins/wpdirectorykit/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3401078%40wpdirectorykit&new=3401078%40wpdirectorykit&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Chokri Hammedi"}], "timeline": [{"time": "2025-11-21T20:00:53.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-26T17:27:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-28T16:21:22.165508Z", "id": "CVE-2025-13525", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-28T16:21:54.450Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13525", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-28T16:21:22.165508Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-28T16:21:35.176Z"}}], "cna": {"title": "WP Directory Kit <= 1.4.5 - Reflected Cross-Site Scripting via 'order_by' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Chokri Hammedi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpdirectorykit", "product": "WP Directory Kit", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-21T20:00:53.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-26T17:27:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/01cd3631-93fb-4016-baa4-8ea11b21acec?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.4/application/views/wdk_messages/index.php#L38"}, {"url": "https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.4/application/views/wdk_messages/index.php#L39"}, {"url": "https://wordpress.org/plugins/wpdirectorykit/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3401078%40wpdirectorykit&new=3401078%40wpdirectorykit&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'order_by' parameter in all versions up to, and including, 1.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:37.397Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13525", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:32:37.397Z", "dateReserved": "2025-11-21T19:45:44.250Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-27T05:31:56.673Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'order_by' parameter in all versions up to, and including, 1.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "id": "CVE-2025-13525", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-27T06:15:46.830", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.4/application/views/wdk_messages/index.php#L38"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.4/application/views/wdk_messages/index.php#L39"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3401078%40wpdirectorykit&new=3401078%40wpdirectorykit&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/wpdirectorykit/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/01cd3631-93fb-4016-baa4-8ea11b21acec?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:30:02.773497+00:00", "value": {"mitigation_remediation": ["Upgrade the WP Directory Kit plugin to the latest available version that includes the XSS fix (any release newer than 1.4.5).", "If an update is not yet available, temporarily deactivate or remove the plugin to eliminate the vulnerable code path.", "Apply a web application firewall rule or Content Security Policy that blocks inline script execution from the affected parameter to mitigate the risk until the plugin is updated."], "summary": {"action": "Apply Patch", "impact": "Reflected Cross\u2011Site Scripting via the order_by parameter"}, "threat_synthesis": {"affected_systems": "The flaw exists in all releases of the WP Directory Kit WordPress plugin from its earliest versions through 1.4.5 inclusive. Any WordPress installation that has the plugin installed and active below 1.4.6 is vulnerable. Sites using a newer version or that have removed the plugin are not affected.", "description_and_impact": "The WP Directory Kit plugin for WordPress contains an input handling flaw in the order_by query parameter that is not properly sanitized or escaped when rendering the page. This flaw enables an unauthenticated attacker to craft a request that includes JavaScript code, causing that code to be reflected back to the visitor's browser when the page loads. An injected script can then perform actions such as stealing session cookies, defacing the site, or redirecting users to malicious destinations.", "risk_and_exploitability": "The CVSS score for this vulnerability is 6.1, indicating a medium severity. The EPSS score is reported as less than 1%, suggesting a very low probability of observed exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to entice a user to visit a crafted URL, a typical XSS attack vector. While the impact does not compromise the server itself, it can lead to credential theft or defacement, posing a significant risk to site owners and visitors."}}}}, "created": "2025-11-27T16:26:25.616887+00:00", "updated": "2026-04-22T16:30:22.143817+00:00", "vendors": ["listingthemes", "listingthemes$PRODUCT$wpdirectory_kit", "wordpress", "wordpress$PRODUCT$wordpress"]}