Cyber Posture

CVE-2025-13390

CriticalPublic PoC

Published: 03 December 2025

Published
03 December 2025
Modified
16 December 2025
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.3499 97.1th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Description

The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a…

more

cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

IA-5 requires management of authenticators with cryptographic strength requirements, directly mitigating the use of predictably weak tokens in the auto-login function.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

AC-14 restricts privileged actions without identification or authentication, preventing exploitation of the auto-login endpoint for administrative access.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates timely flaw remediation, such as patching the WP Directory Kit plugin to fix the weak token generation vulnerability.

Security SummaryAI

CVE-2025-13390 is an authentication bypass vulnerability affecting the WP Directory Kit plugin for WordPress in all versions up to and including 1.4.4. The issue stems from an incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function, which relies on a cryptographically weak token generation mechanism. This flaw results in predictable tokens that can be leveraged via the auto-login endpoint, earning a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and mapping to CWE-303 (Incorrect Implementation of Authentication Algorithm).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By predicting the weak token, they can access the auto-login endpoint to bypass authentication entirely, gaining administrative privileges and achieving full site takeover, including arbitrary code execution, data exfiltration, or site defacement.

Advisories from sources like Wordfence and the WordPress plugin trac recommend updating the WP Directory Kit plugin beyond version 1.4.4, with a specific patch referenced in trac changeset 3400599. Additional details on the vulnerability and proof-of-concept are available in researcher repositories such as GitHub/d0n601/CVE-2025-13390 and ryankozak.com/posts/cve-2025-13390.

Details

CWE(s)
CWE-303

Affected Products

wpdirectorykit
wp directory kit
≤ 1.4.4

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability enables unauthenticated attackers to bypass authentication via a predictable token in a public-facing WordPress plugin, impersonating administrative accounts (T1078) and exploiting the public-facing application (T1190) for site takeover.

References