Overview
A critical security vulnerability, identified as CVE-2025-13539, has been discovered in the FindAll Membership plugin for WordPress. This vulnerability allows unauthenticated attackers to bypass authentication and potentially gain administrative access to affected WordPress sites. The vulnerability affects all versions of the plugin up to and including 1.0.4. Due to the ease of exploitation and the potential for significant damage, immediate action is recommended.
Technical Details
The FindAll Membership plugin fails to properly authenticate users after verifying them through the findall_membership_check_facebook_user and findall_membership_check_google_user functions. Specifically, the plugin does not complete the login process, allowing an attacker with a pre-existing account (easily created via the “temp user” functionality, which is often enabled by default) and knowledge of an administrator’s email address to impersonate that administrator.
The vulnerability lies in the incomplete implementation of the login procedure following successful verification using social authentication methods. The plugin verifies the user’s identity against Facebook or Google but doesn’t finalize the WordPress login session, leading to the authentication bypass.
CVSS Analysis
- CVE ID: CVE-2025-13539
- Severity: CRITICAL
- CVSS Score: 9.8
A CVSS score of 9.8 indicates the severity of this vulnerability. The high score reflects the ease of exploitation, the low skill required to execute the attack, and the potential for complete system compromise. The attack vector is network-based, requiring no user interaction, and allows for complete loss of confidentiality, integrity, and availability.
Possible Impact
Successful exploitation of this vulnerability can lead to severe consequences, including:
- Complete Website Takeover: Attackers can gain administrative access, allowing them to modify website content, install malicious plugins, and deface the website.
- Data Theft: Sensitive data, including user information and business data, can be stolen.
- Malware Distribution: The compromised website can be used to distribute malware to visitors.
- SEO Poisoning: Attackers can inject malicious code to manipulate search engine rankings and redirect traffic to malicious sites.
- Reputation Damage: A compromised website can significantly damage the reputation of the organization.
Mitigation and Patch Steps
- Immediate Action: If you are using the FindAll Membership plugin, immediately disable the plugin.
- Check for Updates: Check the plugin developer’s website or the WordPress plugin repository for an updated version that addresses this vulnerability. As of this writing, no patch is available from the vendor.
- Consider Alternatives: If no update is available or the plugin is no longer maintained, consider switching to a different membership plugin with a strong security track record.
- Web Application Firewall (WAF): Implement a WAF with rules designed to detect and block authentication bypass attempts. While this isn’t a complete fix, it can provide an additional layer of security.
- Monitor Logs: Monitor your website’s logs for suspicious activity, such as unusual login attempts or changes to administrator accounts.
- Temporary User Restrictions: If possible, disable or restrict the “temp user” functionality to limit the ease of account creation for potential attackers.
