CVE-2025-13390

CRITICAL EXPLOITED NUCLEI

WP Directory Kit <= 1.4.4 - Unauthenticated Authentication Bypass via Weak Auto-Login Token

Title source: llm

Exploitation Summary

CVE-2025-13390 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including Nxploited, sidmug3307, d0n601. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits an authentication bypass vulnerability in WordPress (CVE-2025-13390) to extract login cookies and upload a malicious plugin for remote code execution. It automates the process with multi-threading and logs successful exploits.

Description

The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.

Exploits (3)

nomisec WORKING POC

by Nxploited · remote

https://github.com/Nxploited/CVE-2025-13390

View Code ZIP pw:eip

This PoC exploits an authentication bypass vulnerability in WordPress (CVE-2025-13390) to extract login cookies and upload a malicious plugin for remote code execution. It automates the process with multi-threading and logs successful exploits.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: WordPress (version not specified)

No auth needed

Prerequisites: Target WordPress instance vulnerable to CVE-2025-13390 · Network access to the target · Python environment with required libraries

MITRE ATT&CK

T1189 - Drive-by Compromise T1078 - Valid Accounts T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github NO CODE

by sidmug3307 · poc

https://github.com/sidmug3307/CVE-2025-13390-Exploit

View Code ZIP pw:eip

nomisec WORKING POC

by d0n601 · remote

https://github.com/d0n601/CVE-2025-13390

View Code ZIP pw:eip

This PoC exploits an authentication bypass in WP Directory Kit <= 1.4.4 via a predictable token (first 10 chars of MD5(user_id)), allowing unauthenticated attackers to gain admin access and upload a webshell plugin for RCE.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: WP Directory Kit <= 1.4.4

No auth needed

Prerequisites: WordPress site with WP Directory Kit <= 1.4.4 installed · User ID 1 must be an administrator

MITRE ATT&CK

T1110 - Brute Force T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WP Directory Kit <= 1.4.4 - Authentication Bypass

CRITICALVERIFIEDby maxthepm

Shodan: html:"/wp-content/plugins/wpdirectorykit"

FOFA: body:/wp-content/plugins/wpdirectorykit

References (4)

Core 4

Core References

Exploit, Third Party Advisory

https://github.com/d0n601/CVE-2025-13390

Patch

https://plugins.trac.wordpress.org/changeset/3400599/wpdirectorykit/

Exploit

https://ryankozak.com/posts/cve-2025-13390/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/6598d171-e68c-4d2f-9cd1-f1574fa90433?source=cve

Scores

CVSS v3 10.0

EPSS 0.5292

EPSS Percentile 98.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-12-03

CWE

CWE-303

Status published

Products (1)

wpdirectorykit/wp_directory_kit < 1.4.4

Published Dec 03, 2025

Tracked Since Feb 18, 2026