CVE-2025-13390

The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/d0n601/CVE-2025-13390	Exploit Third Party Advisory
https://plugins.trac.wordpress.org/changeset/3400599/wpdirectorykit/	Patch
https://ryankozak.com/posts/cve-2025-13390/	Exploit
https://www.wordfence.com/threat-intel/vulnerabilities/id/6598d171-e68c-4d2f-9cd1-f1574fa90433?source=cve	Third Party Advisory
https://github.com/d0n601/CVE-2025-13390	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wpdirectorykit:wp_directory_kit:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2025-12-03 14:15

Updated : 2025-12-16 21:17

NVD link : CVE-2025-13390

Mitre link : CVE-2025-13390

CVE.ORG link : CVE-2025-13390

JSON object : View

Products Affected

wpdirectorykit

wp_directory_kit

CWE

CWE-303

Incorrect Implementation of Authentication Algorithm

{"id": "CVE-2025-13390", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-12-03T14:15:48.280", "references": [{"url": "https://github.com/d0n601/CVE-2025-13390", "tags": ["Exploit", "Third Party Advisory"], "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3400599/wpdirectorykit/", "tags": ["Patch"], "source": "security@wordfence.com"}, {"url": "https://ryankozak.com/posts/cve-2025-13390/", "tags": ["Exploit"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6598d171-e68c-4d2f-9cd1-f1574fa90433?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}, {"url": "https://github.com/d0n601/CVE-2025-13390", "tags": ["Exploit", "Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-303"}]}], "descriptions": [{"lang": "en", "value": "The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the \"wdk_generate_auto_login_link\" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token."}], "lastModified": "2025-12-16T21:17:39.083", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wpdirectorykit:wp_directory_kit:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "000C72F0-7DA8-40EC-B33F-6C87223D41EF", "versionEndIncluding": "1.4.4"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}