CVE•Published 2025-12-03•1 article on news•6 live references•NVD data

CVE-2025-13390

Vulnerability data via CVEDB (Shodan)

CVSS v3.1

10.0

CRITICAL

EPSS percentile

Exploit Prediction Scoring System · top 9% of all CVEs

Description

The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.

Timeline

Published 2025-12-03

External references

NVD MITRE Exploit-DB Sploitus trickest/cve VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2025-13390

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · WP plugin path

http.html:"/wp-content/plugins/wp-directory-kit/"

Matches any site loading the "wp-directory-kit" plugin — doesn't rely on Shodan's vuln tag.

Shodan · product

product:"Wpdirectorykit Wp Directory Kit"

All exposed Wpdirectorykit Wp Directory Kit instances — cross-reference with the CVE's affected-version range.

Shodan · banner/body mention

http.html:"Wp Directory Kit"

HTTP body or banner mentions "Wp Directory Kit" — catches deploys Shodan didn't identify as a product.