Plattform
wordpress
Komponente
nextend-facebook-connect
Behoben in
3.1.22
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Nextend Social Login and Register plugin for WordPress. This flaw, affecting versions 0 through 3.1.21, allows unauthenticated attackers to potentially unlink a user's social login accounts. The vulnerability stems from insufficient nonce validation within the 'unlinkUser' function. A patch is available in version 3.1.22.
Successful exploitation of this CSRF vulnerability allows an attacker to force a site administrator to perform actions without their knowledge or consent. Specifically, an attacker can craft a malicious request that, when triggered (e.g., by clicking a link), will unlink a user's social login accounts. This can disrupt user access, potentially leading to frustration and impacting the user experience. While the direct impact is limited to account unlinking, it highlights a broader weakness in the plugin's security posture and could potentially be chained with other vulnerabilities for more severe consequences. The attack requires the administrator to interact with the malicious link, so social engineering is a key component of exploitation.
This vulnerability was publicly disclosed on 2025-11-28. No public proof-of-concept (PoC) code has been released at the time of writing, but the relatively straightforward nature of CSRF vulnerabilities suggests that a PoC could emerge. It is not currently listed on the CISA KEV catalog. The medium CVSS score reflects the potential for impact and the ease of exploitation, assuming an administrator is tricked into clicking a malicious link.
WordPress websites utilizing the Nextend Social Login and Register plugin, particularly those with site administrators who are susceptible to social engineering attacks, are at risk. Shared hosting environments where multiple websites share the same server resources may also be indirectly affected if one site is compromised and used to launch attacks against others.
• wordpress / composer / npm:
grep -r 'unlinkUser' /var/www/html/wp-content/plugins/nextend-social-login/• wordpress / composer / npm:
wp plugin list --status=active | grep nextend-social-login• wordpress / composer / npm:
wp plugin update nextend-social-login• generic web: Inspect WordPress admin interface for suspicious links or forms related to social login unlinking. Check access logs for unusual requests to the plugin's unlink endpoint.
disclosure
Exploit-Status
EPSS
0.02% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-13737 is to immediately upgrade the Nextend Social Login and Register plugin to version 3.1.22 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting administrative access to the plugin's settings page, or implementing stricter input validation on the 'unlinkUser' function (though this requires custom code and careful testing). Monitor WordPress access logs for suspicious requests targeting the plugin's unlink functionality. After upgrading, verify the fix by attempting to trigger the unlink action with a forged request; it should be rejected due to proper nonce validation.
Aktualisieren Sie auf Version 3.1.22 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13737 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0–3.1.21 of the Nextend Social Login and Register WordPress plugin, allowing attackers to potentially unlink user social logins.
You are affected if your WordPress site uses the Nextend Social Login and Register plugin in versions 0 through 3.1.21. Upgrade to 3.1.22 or later to mitigate the risk.
Upgrade the Nextend Social Login and Register plugin to version 3.1.22 or later. If immediate upgrade is not possible, consider temporary workarounds like restricting admin access.
While no active exploitation has been confirmed, the vulnerability is relatively easy to exploit and a PoC could emerge. Monitor your systems for suspicious activity.
Refer to the Nextend Social Login and Register plugin's official website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.