Platform
wordpress
Component
heateor-social-login
Fixed in
1.1.40
CVE-2025-68998 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Heateor Social Login plugin for WordPress. This vulnerability allows an attacker to trick authenticated users into unknowingly performing actions they did not intend, potentially leading to unauthorized modifications or data exposure. The vulnerability affects versions from 0.0 up to and including 1.1.39, and a patch is expected to be released by the vendor.
A successful CSRF attack could allow an attacker to manipulate user accounts within the Heateor Social Login plugin. This could involve changing social login settings, disconnecting existing social accounts, or even potentially gaining access to sensitive user data if the plugin interacts with other systems. The impact is amplified if the plugin is used in conjunction with other plugins or services that rely on the social login functionality, as the attacker could potentially leverage the CSRF to compromise those systems as well. While the CVSS score is medium, the potential for widespread impact across WordPress sites using this plugin warrants immediate attention.
As of the publication date (2025-12-30), there is no indication of active exploitation of CVE-2025-68998. Public proof-of-concept (POC) code is currently unavailable. The vulnerability has not been added to the CISA KEV catalog. The medium CVSS score suggests a moderate probability of exploitation if a POC is released.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-68998 is to upgrade to a patched version of the Heateor Social Login plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive forms and actions within the plugin. Web Application Firewalls (WAFs) can also be configured to detect and block malicious CSRF requests. Monitor WordPress logs for suspicious activity, particularly requests originating from unfamiliar sources or exhibiting unusual patterns.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68998 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Heateor Social Login versions 0.0 through 1.1.39. An attacker can trick users into performing unintended actions.
If you are using Heateor Social Login version 0.0 to 1.1.39 on your WordPress site, you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade to the latest version of Heateor Social Login as soon as a patch is released by the vendor. Until then, consider implementing CSRF token protections.
As of the publication date, there is no evidence of active exploitation of CVE-2025-68998. However, this could change if a public proof-of-concept is released.
Refer to the Heateor website and WordPress plugin repository for official announcements and updates regarding CVE-2025-68998.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.