Skip to main content

Wp Directory Kit

15 CVEs product

Monthly

CVE-2026-39534 HIGH This Week

Unauthenticated broken access control in the WP Directory Kit WordPress plugin (versions ≤ 1.5.0) allows remote attackers to bypass authorization checks on plugin endpoints and access functionality or data that should require authentication. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36963; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Wp Directory Kit
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-42672 CRITICAL Act Now

Blind SQL injection in the WP Directory Kit WordPress plugin (versions up to and including 1.5.1) allows remote unauthenticated attackers to inject crafted SQL fragments into backend queries, enabling extraction of database contents and limited tampering with site availability. The CVSS 9.3 score reflects network-reachable exploitation with no privileges or user interaction and a scope change into the WordPress database context; no public exploit identified at time of analysis, though Patchstack has cataloged the flaw.

SQLi Wp Directory Kit
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-39531 CRITICAL Act Now

Blind SQL injection in the WP Directory Kit WordPress plugin (versions up to and including 1.5.0) allows remote unauthenticated attackers to inject SQL commands through improperly neutralized input. With a CVSS 9.3 (scope-changed) rating from Patchstack, successful exploitation can expose sensitive database contents and partially impact availability across the WordPress installation. No public exploit identified at time of analysis and the plugin is not currently listed in CISA KEV.

SQLi Wp Directory Kit
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-13390 CRITICAL POC PATCH Act Now

The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.

Authentication Bypass WordPress Wp Directory Kit PHP
NVD GitHub
CVSS 3.1
10.0
EPSS
0.7%
CVE-2024-37487 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wpdirectorykit.Com WP Directory Kit allows Reflected XSS.3.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Wp Directory Kit
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-37253 LOW Monitor

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in WpDirectoryKit WP Directory Kit allows Code Injection.3.6. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Wp Directory Kit
NVD
CVSS 3.1
2.7
EPSS
0.3%
CVE-2024-3217 HIGH PATCH Act Now

The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value' and 'attribute_id' parameters in all versions up to, and including, 1.3.0 due to insufficient. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 47.2%.

SQLi WordPress Wp Directory Kit
NVD VulDB
CVSS 3.1
8.8
EPSS
47.2%
CVE-2024-29774 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WpDirectoryKit WP Directory Kit allows Reflected XSS.2.9. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Wp Directory Kit
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2023-31229 MEDIUM This Month

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in WP Directory Kit.1.9. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Wp Directory Kit
NVD
CVSS 3.1
4.7
EPSS
0.2%
CVE-2023-2279 MEDIUM PATCH This Month

The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Wp Directory Kit
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2023-2351 MEDIUM POC PATCH This Month

The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'ajax_admin' function in versions up to, and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass WordPress Wp Directory Kit
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2023-2278 CRITICAL POC PATCH Act Now

The WP Directory Kit plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.1.9 via the 'wdk_public_action' function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress PHP RCE Information Disclosure Path Traversal +1
NVD VulDB
CVSS 3.1
9.8
EPSS
0.7%
CVE-2023-2277 MEDIUM POC PATCH This Month

The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress CSRF Wp Directory Kit
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2023-2280 MEDIUM PATCH This Month

The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'ajax_public' function in versions up to, and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Wp Directory Kit
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2023-2835 MEDIUM POC PATCH This Month

The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search' parameter in versions up to, and including, 1.2.3 due to insufficient input sanitization and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS WordPress Wp Directory Kit
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.9%
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated broken access control in the WP Directory Kit WordPress plugin (versions ≤ 1.5.0) allows remote attackers to bypass authorization checks on plugin endpoints and access functionality or data that should require authentication. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36963; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Wp Directory Kit
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in the WP Directory Kit WordPress plugin (versions up to and including 1.5.1) allows remote unauthenticated attackers to inject crafted SQL fragments into backend queries, enabling extraction of database contents and limited tampering with site availability. The CVSS 9.3 score reflects network-reachable exploitation with no privileges or user interaction and a scope change into the WordPress database context; no public exploit identified at time of analysis, though Patchstack has cataloged the flaw.

SQLi Wp Directory Kit
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in the WP Directory Kit WordPress plugin (versions up to and including 1.5.0) allows remote unauthenticated attackers to inject SQL commands through improperly neutralized input. With a CVSS 9.3 (scope-changed) rating from Patchstack, successful exploitation can expose sensitive database contents and partially impact availability across the WordPress installation. No public exploit identified at time of analysis and the plugin is not currently listed in CISA KEV.

SQLi Wp Directory Kit
NVD
EPSS 1% CVSS 10.0
CRITICAL POC PATCH Act Now

The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.

Authentication Bypass WordPress Wp Directory Kit +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wpdirectorykit.Com WP Directory Kit allows Reflected XSS.3.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Wp Directory Kit
NVD
EPSS 0% CVSS 2.7
LOW Monitor

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in WpDirectoryKit WP Directory Kit allows Code Injection.3.6. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Wp Directory Kit
NVD
EPSS 47% CVSS 8.8
HIGH PATCH Act Now

The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value' and 'attribute_id' parameters in all versions up to, and including, 1.3.0 due to insufficient. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 47.2%.

SQLi WordPress Wp Directory Kit
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WpDirectoryKit WP Directory Kit allows Reflected XSS.2.9. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Wp Directory Kit
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in WP Directory Kit.1.9. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Wp Directory Kit
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Wp Directory Kit
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'ajax_admin' function in versions up to, and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass WordPress Wp Directory Kit
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

The WP Directory Kit plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.1.9 via the 'wdk_public_action' function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress PHP RCE +3
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress CSRF Wp Directory Kit
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'ajax_public' function in versions up to, and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Wp Directory Kit
NVD VulDB
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search' parameter in versions up to, and including, 1.2.3 due to insufficient input sanitization and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS WordPress Wp Directory Kit
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy