CVE-2025-13920
WP Directory Kit <= 1.4.9 - Unauthenticated Email Exposure via wdk_public_actionThe WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdk_public_action AJAX handler. This makes it possible for unauthenticated attackers to extract email addresses for users with Directory Kit-specific user roles.
We have discovered 213 live websites that are affected by CVE-2025-13920.
Affected Software
| Product |  Wpdirectorykit |
| Category | Wordpress Plugins |
| Vulnerable Domains | 213 live websites (100% of Wpdirectorykit install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 15 versions ( 88% of all versions) |
Common Weakness Enumeration
CWE-200 Exposure of Sensitive Information to an Unauthorized ActorDetails
- Published - Jan 24, 2026
- Updated - Jan 26, 2026
Credits
- Sarawut Poolkhet (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-13920 United States | 63 websites |
 Italy | 24 websites |
 Germany | 18 websites |
 Brazil | 7 websites |
 Netherlands | 7 websites |
 Cyprus | 7 websites |
 Poland | 6 websites |
 India | 6 websites |
 France | 6 websites |
 South Africa | 5 websites |
Website Distribution by TLD
Number of websites using CVE-2025-13920| .com | 102 websites |
| .it | 15 websites |
| .com.br | 7 websites |
| .org | 6 websites |
| .de | 6 websites |
| .nl | 5 websites |
| .pl | 5 websites |
| .net | 3 websites |
| .co.uk | 3 websites |
| .com.au | 3 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-13920
Top websites that are affected by CVE-2025-13920. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********.com | United States | ***,*** | |
| ***************.org | United States | ***,*** | |
| ************************.com | Germany | *,***,*** | |
| ***************.com | United States | *,***,*** | |
| *****.nl | Netherlands | *,***,*** | |
| ************.com | United States | *,***,*** | |
| ******.net | United States | *,***,*** | |
| *******************.***.au |  Australia | *,***,*** | |
| ***************.lt |  Lithuania | *,***,*** | |
| *********.org | United States | *,***,*** |
FAQ
CVE-2025-13920 is Exposure of Sensitive Information to an Unauthorized Actor in Wpdirectorykit
A total of 213 websites have been identified as vulnerable to CVE-2025-13920, based on global website indexing conducted by WebTechSurvey.
The Wpdirectorykit is affected by the CVE-2025-13920 vulnerability.
Wpdirectorykit versions up to and including 1.4.9 are vulnerable to CVE-2025-13920.