CVE-2025-13390CRITICAL 9.8EPSS p90.7%

CVE-2025-13390CVE-2025-13390

Description

The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS4.72% probability of exploitation · percentile 90.7% · 2026-06-18T12:00:27Z
Published2025-12-03
Last modified2025-12-16

Underlying weaknesses· 1

CWE-303

References

  1. https://github.com/d0n601/CVE-2025-13390
  2. https://plugins.trac.wordpress.org/changeset/3400599/wpdirectorykit/
  3. https://ryankozak.com/posts/cve-2025-13390/
  4. https://www.wordfence.com/threat-intel/vulnerabilities/id/6598d171-e68c-4d2f-9cd1-f1574fa90433?source=cve
  5. https://github.com/d0n601/CVE-2025-13390

1

TypeTargetConfidenceTier
WeaknessIncorrect Implementation of Authentication Algorithmcwe-3030%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-0316
CVE
CVE-2025-7444
CVE
CVE-2025-1570
CVE
CVE-2025-14386
CVE
CVE-2025-10294
CVE
CVE-2025-10484
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.