CVE-2025-13390

Name of the Vulnerable Software and Affected Versions WP Directory Kit versions prior to 1.4.5

Description The WP Directory Kit plugin for WordPress has a flaw in its authentication process. Specifically, versions up to and including 1.4.4 are susceptible to authentication bypass due to a weak token generation mechanism within the wdk generate auto login link function. This allows unauthenticated attackers to gain administrative access and potentially take full control of a site by exploiting the auto-login endpoint with a predictable token.

Recommendations Update WP Directory Kit to version 1.4.5 or later. As a temporary workaround, consider disabling the auto-login feature if it is not essential. Restrict access to the auto-login endpoint.