CVE-2025-13390
published 2025-12-03CVE-2025-13390: The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
4.72%
90.7th percentile
The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| listingthemes | wp_directory_kit | 1.4.0 – 1.4.4 | — |
| wpdirectorykit | wp_directory_kit | <= 1.4.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring GET requests to the auto-login endpoint with parameters auto-login=1, user_id=1, and token=c4ca4238a0 (first 10 chars of MD5('1')). ↗
- →A successful authentication bypass will result in an HTTP 302 redirect response that sets a 'wordpress_logged_in_' cookie in the response headers. ↗
- →Fingerprint vulnerable WordPress installations by searching for the string '/wp-content/plugins/wpdirectorykit' in HTML body (Shodan/FOFA pivoting). ↗
- →The vulnerable function 'wdk_generate_auto_login_link' in actions.php (line 116) generates tokens using only the first 10 characters of MD5(user_id), making all tokens for known user IDs trivially predictable and brute-forceable. ↗
- ·The predictable token value (c4ca4238a0) is static only for user_id=1. Attackers targeting other user IDs would use the first 10 characters of MD5 of the respective user_id integer, so detection rules should account for variable token values beyond just c4ca4238a0. ↗
- ·The Nuclei template follows redirects (max 2), meaning the actual session cookie may be set on a redirected response; detection infrastructure must inspect redirect chain headers, not just the initial response. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cmp6-j4f4-vm9f: The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1
ghsa_unreviewed·2025-12-03
CVE-2025-13390 [CRITICAL] CWE-303 GHSA-cmp6-j4f4-vm9f: The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1
The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.
VulnCheck
wpdirectorykit wp_directory_kit Incorrect Implementation of Authentication Algorithm
vulncheck·2025·CVSS 10.0
CVE-2025-13390 [CRITICAL] wpdirectorykit wp_directory_kit Incorrect Implementation of Authentication Algorithm
wpdirectorykit wp_directory_kit Incorrect Implementation of Authentication Algorithm
The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.
Affected: wpdirectorykit wp_directory_kit
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation Reference
No detection rules found.
Nuclei
WP Directory Kit <= 1.4.4 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2025-13390 [CRITICAL] WP Directory Kit <= 1.4.4 - Authentication Bypass
WP Directory Kit <= 1.4.4 - Authentication Bypass
The WP Directory Kit plugin for WordPress version 1.4.4 and below contains an authentication bypass vulnerability in its auto-login functionality. The vulnerability allows unauthenticated attackers to gain administrative access by exploiting a cryptographically weak token generation mechanism that uses only the first 10 characters of MD5(user_id). For user_id=1 (typically admin), the token is always predictable.
Template:
id: CVE-2025-13390
info:
name: WP Directory Kit <= 1.4.4 - Authentication Bypass
author: maxthepm
severity: critical
description: |
The WP Directory Kit plugin for WordPress version 1.4.4 and below contains an authentication bypass vulnerability in its auto-login functionality. The vulnerability allows unauthenticated
No writeups or analysis indexed.
2025-12-03
Published
Exploited in the wild