CVE-2025-13737: CSRF in Nextend Social Login and Register
Platform
wordpress
Component
nextend-facebook-connect
Fixed in
3.1.22
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Nextend Social Login and Register plugin for WordPress. This flaw, affecting versions 0 through 3.1.21, allows unauthenticated attackers to potentially unlink a user's social login accounts. The vulnerability stems from insufficient nonce validation within the 'unlinkUser' function. A patch is available in version 3.1.22.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
Successful exploitation of this CSRF vulnerability allows an attacker to force a site administrator to perform actions without their knowledge or consent. Specifically, an attacker can craft a malicious request that, when triggered (e.g., by clicking a link), will unlink a user's social login accounts. This can disrupt user access, potentially leading to frustration and impacting the user experience. While the direct impact is limited to account unlinking, it highlights a broader weakness in the plugin's security posture and could potentially be chained with other vulnerabilities for more severe consequences. The attack requires the administrator to interact with the malicious link, so social engineering is a key component of exploitation.
Exploitation Context
This vulnerability was publicly disclosed on 2025-11-28. No public proof-of-concept (PoC) code has been released at the time of writing, but the relatively straightforward nature of CSRF vulnerabilities suggests that a PoC could emerge. It is not currently listed on the CISA KEV catalog. The medium CVSS score reflects the potential for impact and the ease of exploitation, assuming an administrator is tricked into clicking a malicious link.
Threat Intelligence
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- Required — victim must take an action: open a file, click a link, or visit a crafted page.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- None — no confidentiality impact. Attacker cannot read protected data.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Package Information
- Active installs
- 200KKnown
- Plugin rating
- 4.9
- Requires WordPress
- 4.9+
- Compatible up to
- 6.9.4
- Requires PHP
- 7.4+
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-13737 is to immediately upgrade the Nextend Social Login and Register plugin to version 3.1.22 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting administrative access to the plugin's settings page, or implementing stricter input validation on the 'unlinkUser' function (though this requires custom code and careful testing). Monitor WordPress access logs for suspicious requests targeting the plugin's unlink functionality. After upgrading, verify the fix by attempting to trigger the unlink action with a forged request; it should be rejected due to proper nonce validation.
How to fix
Update to version 3.1.22, or a newer patched version
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2025-13737 — CSRF in Nextend Social Login and Register?
CVE-2025-13737 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0–3.1.21 of the Nextend Social Login and Register WordPress plugin, allowing attackers to potentially unlink user social logins.
Am I affected by CVE-2025-13737 in Nextend Social Login and Register?
You are affected if your WordPress site uses the Nextend Social Login and Register plugin in versions 0 through 3.1.21. Upgrade to 3.1.22 or later to mitigate the risk.
How do I fix CVE-2025-13737 in Nextend Social Login and Register?
Upgrade the Nextend Social Login and Register plugin to version 3.1.22 or later. If immediate upgrade is not possible, consider temporary workarounds like restricting admin access.
Is CVE-2025-13737 being actively exploited?
While no active exploitation has been confirmed, the vulnerability is relatively easy to exploit and a PoC could emerge. Monitor your systems for suspicious activity.
Where can I find the official Nextend Social Login and Register advisory for CVE-2025-13737?
Refer to the Nextend Social Login and Register plugin's official website or WordPress plugin repository for the latest advisory and update information.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.