CVE-2025-13390 Scanner

The WP Directory Kit is a popular plugin for WordPress used by individuals and businesses for directory listings and managing various directory needs on their WordPress sites. This plugin is recognized for its robust features that simplify the process of managing directories with custom fields and is generally employed by web administrators looking for efficient solutions to manage multiple listings. Businesses, freelancers, and bloggers often use this plugin to enhance their directory management systems. Trusted by a large community, the WP Directory Kit is a significant tool in the ecosystem of WordPress plugins, offering versatility to its users. However, like any other software, this plugin requires constant updates and monitoring to safeguard against vulnerabilities, such as the Authentication Bypass. Due to its widespread use, any security issues within this plugin can have a substantial impact on the sites relying on it.

The Authentication Bypass vulnerability in the WP Directory Kit plugin affects its auto-login feature and is considered severe. This vulnerability allows attackers to exploit a flaw in the system's token generation mechanism, enabling them to gain unauthorized access. The issue arises due to the token generation using only the first 10 characters of the MD5 hash of the user_id, which predictably generates the same token for admin-level users, specifically with user_id=1. By bypassing authentication protocols, attackers can gain administrative access, posing a considerable risk to affected websites. Recognizing this vulnerability highlights the importance of secure coding practices and the dangers posed by simple cryptographic implementations.

The technical foundation of this vulnerability involves the inadequately secure method for generating authentication tokens within WP Directory Kit versions 1.4.4 and below. Attackers can construct predictable tokens using a cryptographically weak method, specifically MD5(user_id) restricted to 10 characters, making it possible to foresee the authentication outcome. This weakness is especially critical for the default user_id=1, usually assigned to the administrator account, which simplifies the attack process drastically. By exploiting this predictable pattern, the attacker manipulates the URL with a crafted auto-login attempt, bypassing existing authentication safeguards. The system's failure to utilize a more secure hashing algorithm or extended character usage when creating tokens underscores the vulnerability's ease of exploitation.

Once exploited, the Authentication Bypass vulnerability allows malicious users to gain administrative control over the affected WordPress site. This enables them to modify site content, upload malicious scripts, and potentially extract sensitive data from the server. The implications of such unauthorized access can lead to a full site takeover, resulting in reputational damage, data breaches, loss of customer trust, and financial implications for affected parties. Moreover, exploited sites can be used for further attacks, such as phishing or distributing malware, amplifying the threat's impact across platforms.

REFERENCES

• https://plugins.trac.wordpress.org/browser/wpdirectorykit/trunk/actions.php#L116
• https://ryankozak.com/posts/cve-2025-13390/
• https://github.com/d0n601/CVE-2025-13390
• https://nvd.nist.gov/vuln/detail/CVE-2025-13390