Platform
wordpress
Component
wpdirectorykit
Opgelost in
1.4.5
1.4.5
CVE-2025-13390 is a critical privilege escalation vulnerability affecting the WP Directory Kit WordPress plugin. This flaw allows unauthenticated attackers to bypass authentication and gain administrative access, potentially leading to complete site takeover. The vulnerability exists in versions 1.4.0 through 1.4.4 and is resolved in version 1.4.5. Immediate action is recommended to mitigate this risk.
The impact of CVE-2025-13390 is severe. Successful exploitation allows an attacker to bypass authentication entirely, granting them full administrative privileges on the WordPress site. This means the attacker can modify any content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and even deface the website. The predictable token generation mechanism makes exploitation relatively straightforward, increasing the likelihood of attacks. This vulnerability shares similarities with other authentication bypass flaws where weak token generation is the root cause, potentially leading to widespread compromise if left unaddressed.
CVE-2025-13390 was publicly disclosed on December 3, 2025. The vulnerability's simplicity and the widespread use of WordPress plugins make it a likely target for automated exploitation. No public proof-of-concept (PoC) code has been released at the time of this writing, but the ease of exploitation suggests that PoCs are likely to emerge. The vulnerability has not yet been added to the CISA KEV catalog.
Websites utilizing the WP Directory Kit plugin, particularly those running versions 1.4.0 through 1.4.4, are at significant risk. Shared hosting environments where multiple websites share the same server are also at increased risk, as a compromise of one site could potentially lead to the compromise of others. Sites with weak password policies or those that haven't recently updated their WordPress installation are particularly vulnerable.
• wordpress / composer / npm:
grep -r 'wdk_generate_auto_login_link' /var/www/html/wp-content/plugins/wp-directory-kit/• wordpress / composer / npm:
wp plugin list | grep "WP Directory Kit"• wordpress / composer / npm:
wp plugin update wp-directory-kit --version=1.4.5• generic web: Check WordPress plugin directory for mentions of CVE-2025-13390 and WP Directory Kit.
disclosure
Exploit Status
EPSS
0.66% (71% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-13390 is to immediately upgrade the WP Directory Kit plugin to version 1.4.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the auto-login endpoint. This can be achieved by modifying the .htaccess file to deny access to the endpoint or by implementing a custom firewall rule. Monitor WordPress logs for suspicious activity, particularly attempts to access the auto-login endpoint. After upgrading, verify the fix by attempting to access the auto-login endpoint without authentication; access should be denied.
Update to version 1.4.5, or a newer patched version
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-13390 is a critical vulnerability in the WP Directory Kit plugin for WordPress allowing unauthenticated attackers to gain admin access due to a weak token generation mechanism.
You are affected if your WordPress site uses the WP Directory Kit plugin in versions 1.4.0 through 1.4.4. Upgrade to 1.4.5 to resolve the issue.
Upgrade the WP Directory Kit plugin to version 1.4.5 or later. If immediate upgrade is not possible, temporarily restrict access to the auto-login endpoint.
While no public exploits are currently known, the vulnerability's simplicity makes it a likely target for exploitation. Monitor your site closely.
Refer to the WP Directory Kit plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.