cbcvebase.
CVE-2025-13390
published 2025-12-03

CVE-2025-13390: The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
4.72%
90.7th percentile
The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.

Affected

2 ranges
VendorProductVersion rangeFixed in
listingthemeswp_directory_kit1.4.0 – 1.4.4
wpdirectorykitwp_directory_kit<= 1.4.4

Detection & IOCsextracted from sources · hover to see the quote

url/?auto-login=1&user_id=1&token=c4ca4238a0
othertoken=c4ca4238a0
path/wp-content/plugins/wpdirectorykit
path/wp-content/plugins/wpdirectorykit/trunk/actions.php#L116
  • Detect exploitation attempts by monitoring GET requests to the auto-login endpoint with parameters auto-login=1, user_id=1, and token=c4ca4238a0 (first 10 chars of MD5('1')).
  • A successful authentication bypass will result in an HTTP 302 redirect response that sets a 'wordpress_logged_in_' cookie in the response headers.
  • Fingerprint vulnerable WordPress installations by searching for the string '/wp-content/plugins/wpdirectorykit' in HTML body (Shodan/FOFA pivoting).
  • The vulnerable function 'wdk_generate_auto_login_link' in actions.php (line 116) generates tokens using only the first 10 characters of MD5(user_id), making all tokens for known user IDs trivially predictable and brute-forceable.
  • ·The predictable token value (c4ca4238a0) is static only for user_id=1. Attackers targeting other user IDs would use the first 10 characters of MD5 of the respective user_id integer, so detection rules should account for variable token values beyond just c4ca4238a0.
  • ·The Nuclei template follows redirects (max 2), meaning the actual session cookie may be set on a redirected response; detection infrastructure must inspect redirect chain headers, not just the initial response.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.