Overview
CVE-2025-13737 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Nextend Social Login and Register plugin for WordPress. This vulnerability affects all versions up to, and including, version 3.1.21. It allows an unauthenticated attacker to potentially unlink a user’s social login from their WordPress account if they can trick a site administrator into clicking a malicious link or performing other actions that trigger a forged request.
Technical Details
The vulnerability stems from missing or insufficient nonce validation in the unlinkUser function within the Nextend Social Login plugin. A nonce (Number used Once) is a security token used to prevent CSRF attacks by ensuring that requests originate from the legitimate website and not from a malicious source. Because the unlinkUser function lacks proper nonce validation, an attacker can craft a malicious URL or form that, when visited or submitted by an authenticated administrator, will trigger the unlinking of a user’s social login. This is possible because the administrator’s existing authentication cookie is used to authorize the forged request.
CVSS Analysis
- Severity: MEDIUM
- CVSS Score: 4.3
The CVSS score of 4.3 indicates a medium severity vulnerability. The attack complexity is high, as it requires social engineering to trick a privileged user (administrator) into performing an action. The impact is limited to the modification of data (unlinking the social account), which doesn’t directly compromise the entire system.
Possible Impact
A successful exploit of this vulnerability could have the following consequences:
- Account Hijacking: While not a direct hijack, unlinking a social account can make it easier for an attacker to gain unauthorized access, especially if the social login was the primary method of authentication.
- Disruption of Service: Unlinking social accounts for a large number of users can disrupt their access to the website.
- Reputation Damage: Exploitation of this vulnerability can damage the website’s reputation and erode user trust.
Mitigation and Patch Steps
The recommended mitigation is to update the Nextend Social Login and Register plugin to the latest version. The vulnerability has been patched in versions released after 3.1.21. Specifically:
- Update the Plugin: Ensure that you have the latest version of the Nextend Social Login and Register plugin installed. You can do this through the WordPress admin dashboard.
