CVE-2025-13390 Overview
CVE-2025-13390 is a critical authentication bypass vulnerability affecting the WP Directory Kit plugin for WordPress. The vulnerability exists in all versions up to and including 1.4.4 due to an incorrect implementation of the authentication algorithm in the wdk_generate_auto_login_link function. The flaw stems from the use of a cryptographically weak token generation mechanism, which allows unauthenticated attackers to predict authentication tokens and gain administrative access to affected WordPress sites.
Critical Impact
Unauthenticated attackers can achieve full site takeover by exploiting predictable tokens in the auto-login endpoint, gaining complete administrative control over vulnerable WordPress installations.
Affected Products
- WP Directory Kit versions up to and including 1.4.4
- WordPress sites running vulnerable WP Directory Kit installations
- All configurations using the auto-login feature
Discovery Timeline
- 2025-12-03 - CVE-2025-13390 published to NVD
- 2025-12-16 - Last updated in NVD database
Technical Details for CVE-2025-13390
Vulnerability Analysis
This authentication bypass vulnerability (CWE-303: Incorrect Implementation of Authentication Algorithm) allows attackers to circumvent the intended authentication mechanisms of the WP Directory Kit plugin. The core issue lies in the wdk_generate_auto_login_link function, which generates authentication tokens using a cryptographically weak algorithm. These predictable tokens can be computed or brute-forced by attackers, enabling them to construct valid auto-login URLs without prior authentication.
The vulnerability is particularly severe because it requires no user interaction and can be exploited remotely over the network. An attacker with no privileges on the target system can leverage this weakness to gain full administrative access to the WordPress installation, compromising the confidentiality, integrity, and availability of the entire site.
Root Cause
The root cause of CVE-2025-13390 is the use of a cryptographically insecure random number generation mechanism within the token creation process. The wdk_generate_auto_login_link function fails to implement sufficient entropy or cryptographic strength when generating authentication tokens. This results in tokens that can be predicted, computed, or brute-forced within a feasible timeframe, completely undermining the security of the auto-login feature.
Attack Vector
The attack is conducted remotely over the network, targeting the auto-login endpoint exposed by the WP Directory Kit plugin. An attacker can:
- Identify WordPress sites running vulnerable versions of WP Directory Kit
- Analyze or predict the token generation pattern used by wdk_generate_auto_login_link
- Generate or enumerate valid authentication tokens
- Access the auto-login endpoint with a valid predicted token
- Achieve administrative access and full site takeover
The vulnerability mechanism involves the predictable token generation in the authentication function. Technical details and proof-of-concept implementations are available through the GitHub PoC Repository and Ryan Kozak's CVE Analysis.
Detection Methods for CVE-2025-13390
Indicators of Compromise
- Unexpected administrative logins from unfamiliar IP addresses or geographic locations
- Unusual access patterns to the WP Directory Kit auto-login endpoint
- New administrator accounts created without authorized user action
- Suspicious modifications to site content, themes, or plugins
- Authentication logs showing successful logins without corresponding password authentication
Detection Strategies
- Monitor WordPress access logs for repeated requests to auto-login endpoints
- Implement web application firewall (WAF) rules to detect and block suspicious auto-login attempts
- Deploy file integrity monitoring to detect unauthorized changes to WordPress core files and plugin configurations
- Enable WordPress security plugins with real-time threat detection capabilities
Monitoring Recommendations
- Configure alerts for new administrator account creation
- Monitor for bulk or sequential requests to authentication-related endpoints
- Review authentication logs regularly for anomalous login patterns
- Implement rate limiting on login and auto-login endpoints
How to Mitigate CVE-2025-13390
Immediate Actions Required
- Update WP Directory Kit to a patched version immediately (versions after 1.4.4)
- Audit existing administrator accounts for any unauthorized additions
- Review recent site changes for signs of compromise
- Consider temporarily disabling the auto-login feature until patched
- Reset administrative credentials if compromise is suspected
Patch Information
The vendor has released a patch to address this vulnerability. The fix can be reviewed in the WordPress Plugin Changeset 3400599. Site administrators should update to the latest version of WP Directory Kit as soon as possible.
Additional threat intelligence and vulnerability details are available from Wordfence Threat Intelligence.
Workarounds
- Disable the auto-login feature in WP Directory Kit if updating is not immediately possible
- Implement additional authentication layers such as two-factor authentication for all administrator accounts
- Use a web application firewall to block suspicious requests to the auto-login endpoint
- Restrict administrative access to trusted IP addresses through .htaccess or server configuration
If immediate patching is not possible, administrators can restrict access to the auto-login functionality by adding rules to their web server configuration:
# Block access to auto-login endpoints until patched
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} wdk_auto_login [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
