A critical authentication bypass vulnerability has been identified in the WP Directory Kit plugin for WordPress. This flaw allows an unauthenticated attacker to generate a predictable auto-login token, bypass all authentication checks, and gain full administrative access to the affected website, leading to a complete site takeover.

The vulnerability exists within the wdk_generate_auto_login_link function, which is responsible for creating auto-login links. The function utilizes a cryptographically weak algorithm to generate authentication tokens, making them predictable. An unauthenticated attacker can reverse-engineer this token generation process or brute-force a valid token and submit it to the auto-login endpoint, which will grant them an authenticated session with administrative privileges without requiring a valid username or password.

This vulnerability is rated as critical severity with a CVSS score of 10. Successful exploitation grants an attacker complete control over the affected WordPress site. The potential consequences include theft of sensitive user data, financial information, and intellectual property; website defacement; distribution of malware to site visitors; and using the compromised server as a launch point for further attacks against the organization's internal network. This can lead to significant financial loss, severe reputational damage, and regulatory penalties.

Immediate Action: Immediately update The WP Directory Kit plugin for WordPress to the latest patched version (greater than 1.4.4) as recommended by the vendor. After patching, review all administrative user accounts for any unauthorized additions or modifications and review access logs for signs of compromise.

Proactive Monitoring: Monitor web server and application logs for suspicious activity, specifically looking for multiple, rapid requests to the auto-login endpoint. Scrutinize successful administrative logins from unknown or unusual IP addresses. Implement alerts for the creation of new administrative accounts.

Compensating Controls: If immediate patching is not feasible, consider the following controls:

• Disable the WP Directory Kit plugin until it can be safely updated.
• Implement a Web Application Firewall (WAF) with rules specifically designed to block malicious requests targeting the plugin's auto-login functionality.
• Restrict access to the WordPress administrative dashboard (/wp-admin/) to trusted IP addresses only.

Public Exploit Available: false

Given the critical CVSS score of 10, this vulnerability poses an immediate and severe threat to the organization. We strongly recommend that all instances of the WP Directory Kit plugin be patched to the latest version without delay. Due to the risk of pre-patch compromise, a thorough review of all WordPress sites using this plugin for indicators of compromise is essential. If patching is delayed for any reason, compensating controls such as disabling the plugin or implementing a WAF must be deployed immediately to mitigate the risk of a full site takeover.