CVE-2025-13390 | The WP Directory Kit plugin for WordPress is vulnerable to a… | CVSS 10.0 CRITICAL

Description

The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.

Metadata

CVE ID: CVE-2025-13390
State: PUBLISHED
Assigner: Wordfence
Reserved: 2025-11-18 21:50 UTC
Published: 2025-12-03 13:52 UTC
Last updated: 2025-12-08 15:59 UTC
Primary CWE: CWE-303
CWE-303 Incorrect Implementation of Authentication Algorithm
Vendor / Product: listingthemes / WP Directory Kit
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
listingthemes	WP Directory Kit	—	1.4.0 ≤ 1.4.4

Weakness (CWE)

CWE	Source	Description
CWE-303	cna	CWE-303 Incorrect Implementation of Authentication Algorithm

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (4)