CVE-2025-13390 – The WP Directory Kit WordPress plugin has an au... (How to Fix)

Q: What is the severity of CVE-2025-13390?

CVE-2025-13390 has a CVSS score of 10.0 (CRITICAL). The WP Directory Kit WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to generate predictable auto-login tokens. This enables attackers to gain administrative access and achieve full site takeover. All WordPress sites using WP Directory Kit version 1.4.4 or earlier are affected.

📋 TL;DR

The WP Directory Kit WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to generate predictable auto-login tokens. This enables attackers to gain administrative access and achieve full site takeover. All WordPress sites using WP Directory Kit version 1.4.4 or earlier are affected.

💻 Affected Systems

Products:

WP Directory Kit WordPress Plugin

Versions: All versions up to and including 1.4.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Any WordPress site with the WP Directory Kit plugin installed and activated is vulnerable.

📦 What is this software?

Wp Directory Kit by Wpdirectorykit

View all CVEs affecting Wp Directory Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise with administrative access, allowing data theft, defacement, malware injection, and backdoor installation.

🟠

Likely Case

Unauthenticated attackers gain administrative privileges and take control of the WordPress site.

🟢

If Mitigated

Attackers can still attempt exploitation but will be blocked by proper security controls and monitoring.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available, making this easily weaponizable by attackers with minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.5

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3400599/wpdirectorykit/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP Directory Kit and click 'Update Now'. 4. Verify version is 1.4.5 or later.

🔧 Temporary Workarounds

Disable WP Directory Kit Plugin

all

Temporarily disable the vulnerable plugin until patching is possible.

wp plugin deactivate wpdirectorykit

Block Auto-Lin Endpoint

linux

Use web application firewall or .htaccess to block access to the vulnerable endpoint.

RewriteEngine On
RewriteRule ^wp-content/plugins/wpdirectorykit/.*wdk_generate_auto_login_link.*$ - [F,L]

🧯 If You Can't Patch

Remove WP Directory Kit plugin completely from the WordPress installation
Implement strict network access controls and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → WP Directory Kit version. If version is 1.4.4 or earlier, you are vulnerable.

Check Version:

wp plugin get wpdirectorykit --field=version

Verify Fix Applied:

After updating, verify WP Directory Kit version is 1.4.5 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-content/plugins/wpdirectorykit/ endpoints
Multiple failed login attempts followed by successful admin login from new IP
Administrative actions from unfamiliar IP addresses

Network Indicators:

HTTP requests containing 'wdk_generate_auto_login_link' in URL or parameters
Unusual traffic patterns to WordPress admin endpoints

SIEM Query:

source="web_logs" AND (uri_path="*wdk_generate_auto_login_link*" OR user_agent="*wpdirectorykit*")

📊 Metadata

CVE ID: CVE-2025-13390

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-303

EPSS Score: 0.57% exploit probability (68.1th percentile)

Published: December 3, 2025

Last Updated: December 16, 2025

🔗 References

https://github.com/d0n601/CVE-2025-13390 Exploit,Third Party Advisory
https://plugins.trac.wordpress.org/changeset/3400599/wpdirectorykit/ Patch
https://ryankozak.com/posts/cve-2025-13390/ Exploit
https://www.wordfence.com/threat-intel/vulnerabilities/id/6598d171-e68c-4d2f-9cd1-f1574fa90433?source=cve Third Party Advisory
https://github.com/d0n601/CVE-2025-13390 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13390, you might also want to check these: