CVE-2025-13390 identifies a critical vulnerability in the WP Directory Kit plugin for WordPress, specifically in versions up to and including 1.4.4. The vulnerability stems from an incorrect implementation of the authentication algorithm within the wdk_generate_auto_login_link function. This function generates auto-login tokens intended to allow users to log in without entering credentials. However, the token generation mechanism is cryptographically weak and predictable, which violates secure authentication principles (CWE-303). As a result, an unauthenticated attacker can craft valid tokens to bypass authentication controls entirely. This bypass grants administrative privileges, enabling full site takeover. The vulnerability is remotely exploitable over the network without requiring any prior authentication or user interaction. The CVSS v3.1 base score is 10.0, indicating critical severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), scope changed (S:C), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No patches or exploits in the wild are currently reported, but the risk is substantial given the ease of exploitation and potential damage. The vulnerability affects the listingthemes vendor's WP Directory Kit plugin, which is used to manage directories on WordPress sites.

The impact of CVE-2025-13390 is severe for organizations using the WP Directory Kit plugin. Successful exploitation results in complete administrative access to the WordPress site, allowing attackers to modify content, steal sensitive data, install backdoors, or disrupt site availability. This compromises the confidentiality, integrity, and availability of the affected websites. For businesses relying on WordPress for e-commerce, customer engagement, or content delivery, such a compromise can lead to financial losses, reputational damage, and regulatory penalties. The vulnerability's ease of exploitation and lack of required authentication mean attackers can rapidly compromise vulnerable sites at scale. Additionally, compromised sites can be used as platforms for further attacks, including phishing, malware distribution, or lateral movement within corporate networks. The widespread use of WordPress globally amplifies the potential impact, especially for organizations that have not applied security best practices or timely updates.

To mitigate CVE-2025-13390, organizations should immediately update the WP Directory Kit plugin to a version that addresses this vulnerability once released by the vendor. In the absence of an official patch, administrators should disable or restrict access to the auto-login feature, particularly the endpoint that generates or accepts the auto-login tokens. Implementing web application firewall (WAF) rules to detect and block suspicious requests targeting the auto-login endpoint can provide temporary protection. Monitoring logs for unusual access patterns or repeated token generation attempts is also recommended. Additionally, enforcing multi-factor authentication (MFA) on administrative accounts can reduce the risk of unauthorized access even if token prediction occurs. Regularly auditing installed plugins and removing unused or unsupported ones will minimize attack surface. Finally, organizations should maintain comprehensive backups and incident response plans to recover quickly from potential compromises.