WP Directory Kit Authentication Bypass Vulnerability Allowing Full Site Takeover

A vulnerability exists in the WP Directory Kit plugin for WordPress, affecting all versions up to and including 1.4.4. The issue arises from an authentication bypass in the auto-login feature, which is always active and cannot be disabled. The vulnerability is caused by a cryptographically weak token generation mechanism that allows unauthenticated attackers to gain administrative access and take over the site via the auto-login endpoint.

Impact

Exploitation of this vulnerability allows for authentication bypass, granting administrative access to the attacker. With this access, an attacker can install malicious plugins, create new administrative users, and potentially compromise the entire WordPress site.

Reproduction

To reproduce this vulnerability, send a request to the WordPress site with the auto-login parameter set to '1', along with a user ID and a token. The token must be the first 10 characters of the MD5 hash of the user ID, concatenated with the NONCE_KEY and the string 'wpdirectorykit'. Once the request is processed, the WordPress authentication cookies for the specified user will be set in the response.

Remediation

Users are advised to update the WP Directory Kit plugin to version 1.4.5 or later, where this vulnerability has been patched.