CVE-2025-13390 affects the WP Directory Kit plugin for WordPress, specifically versions up to and including 1.4.4. The vulnerability arises from an incorrect implementation of the authentication algorithm within the wdk_generate_auto_login_link function. This function is responsible for generating auto-login tokens intended to facilitate user authentication without manual login. However, the token generation mechanism is cryptographically weak and predictable, classified under CWE-303 (Incorrect Implementation of Authentication Algorithm). An attacker can exploit this weakness by predicting or forging valid tokens, thereby bypassing authentication controls entirely. This allows unauthenticated attackers to gain administrative privileges on the affected WordPress site, resulting in full site takeover. The vulnerability does not require any user interaction or prior authentication, and the attack vector is remote network access (AV:N). The CVSS v3.1 base score is 10.0, reflecting critical impact on confidentiality, integrity, and availability, with low attack complexity and no privileges or user interaction needed. No patches or fixes have been published at the time of disclosure, and no known exploits are publicly available, though the risk remains high due to the nature of the flaw. The vulnerability impacts all installations using the affected plugin versions, which may be embedded in various WordPress deployments, including business, e-commerce, and informational websites.

For European organizations, this vulnerability poses a severe risk of unauthorized administrative access to WordPress sites using the WP Directory Kit plugin. Successful exploitation can lead to complete site compromise, including data theft, defacement, malware implantation, and disruption of services. Organizations relying on WordPress for customer-facing portals, internal directories, or content management may face significant operational and reputational damage. The breach of administrative credentials can also facilitate lateral movement within networks if the WordPress environment is integrated with internal systems. Given the critical nature of the vulnerability and the widespread use of WordPress across Europe, the potential impact includes regulatory non-compliance (e.g., GDPR violations), financial losses, and erosion of customer trust. The ease of exploitation without authentication or user interaction further exacerbates the threat, making timely mitigation imperative.

Immediate mitigation steps include disabling or removing the WP Directory Kit plugin until a secure patched version is released. Organizations should monitor WordPress sites for unusual administrative logins or suspicious activity related to the auto-login feature. Implementing web application firewalls (WAFs) with custom rules to block access to the auto-login endpoint or to detect anomalous token patterns can reduce exposure. Restricting access to the WordPress admin interface by IP whitelisting or VPN-only access can also limit attack surface. Regularly auditing installed plugins and maintaining an inventory of versions will help identify vulnerable instances promptly. Once a patch is available, prioritize its deployment across all affected systems. Additionally, consider implementing multi-factor authentication (MFA) for WordPress admin accounts to add a layer of defense against token-based bypasses. Backup critical data and have incident response plans ready to address potential compromises.