Escanear gratis
MEDIUMCVE-2025-13737CVSS 4.3

Nextend Social Login and Register <= 3.1.21 - Cross-Site Request Forgery para Desvincular el Inicio de Sesión Social del Usuario

Plataforma

wordpress

Componente

nextend-facebook-connect

Corregido en

3.1.22

AI Confidence: highNVDEPSS 0.0%Revisado: may 2026
Ver en NVD
Guardar
Traduciendo a tu idioma…

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Nextend Social Login and Register plugin for WordPress. This flaw, affecting versions 0 through 3.1.21, allows unauthenticated attackers to potentially unlink a user's social login accounts. The vulnerability stems from insufficient nonce validation within the 'unlinkUser' function. A patch is available in version 3.1.22.

WordPress

Detecta esta CVE en tu proyecto

Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.

Escanear gratis

Impacto y Escenarios de Ataquetraduciendo…

Successful exploitation of this CSRF vulnerability allows an attacker to force a site administrator to perform actions without their knowledge or consent. Specifically, an attacker can craft a malicious request that, when triggered (e.g., by clicking a link), will unlink a user's social login accounts. This can disrupt user access, potentially leading to frustration and impacting the user experience. While the direct impact is limited to account unlinking, it highlights a broader weakness in the plugin's security posture and could potentially be chained with other vulnerabilities for more severe consequences. The attack requires the administrator to interact with the malicious link, so social engineering is a key component of exploitation.

Contexto de Explotacióntraduciendo…

This vulnerability was publicly disclosed on 2025-11-28. No public proof-of-concept (PoC) code has been released at the time of writing, but the relatively straightforward nature of CSRF vulnerabilities suggests that a PoC could emerge. It is not currently listed on the CISA KEV catalog. The medium CVSS score reflects the potential for impact and the ease of exploitation, assuming an administrator is tricked into clicking a malicious link.

Quién Está en Riesgotraduciendo…

WordPress websites utilizing the Nextend Social Login and Register plugin, particularly those with site administrators who are susceptible to social engineering attacks, are at risk. Shared hosting environments where multiple websites share the same server resources may also be indirectly affected if one site is compromised and used to launch attacks against others.

Pasos de Deteccióntraduciendo…

• wordpress / composer / npm:

grep -r 'unlinkUser' /var/www/html/wp-content/plugins/nextend-social-login/

• wordpress / composer / npm:

wp plugin list --status=active | grep nextend-social-login

• wordpress / composer / npm:

wp plugin update nextend-social-login

• generic web: Inspect WordPress admin interface for suspicious links or forms related to social login unlinking. Check access logs for unusual requests to the plugin's unlink endpoint.

Cronología del Ataque

  1. Disclosure

    disclosure

Inteligencia de Amenazas

Estado del Exploit

Prueba de ConceptoDesconocido
CISA KEVNO
Exposición en InternetAlta

EPSS

0.02% (3% percentil)

CISA SSVC

Explotaciónnone
Automatizableno
Impacto Técnicopartial

Vector CVSS

INTELIGENCIA DE AMENAZAS· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N4.3MEDIUMAttack VectorNetworkCómo el atacante alcanza el objetivoAttack ComplexityLowCondiciones necesarias para explotarPrivileges RequiredNoneNivel de autenticación requeridoUser InteractionRequiredSi la víctima debe realizar una acciónScopeUnchangedImpacto más allá del componente afectadoConfidentialityNoneRiesgo de exposición de datos sensiblesIntegrityLowRiesgo de modificación no autorizada de datosAvailabilityNoneRiesgo de interrupción del servicionextguardhq.com · Puntuación Base CVSS v3.1
¿Qué significan estas métricas?
Attack Vector
Red — explotable remotamente por internet. Sin acceso físico ni local. Mayor superficie de ataque.
Attack Complexity
Baja — sin condiciones especiales. El atacante puede explotar de forma confiable sin configuraciones raras.
Privileges Required
Ninguno — sin autenticación. No se necesitan credenciales para explotar.
User Interaction
Requerida — la víctima debe abrir un archivo, hacer clic en un enlace o visitar una página.
Scope
Sin cambio — el impacto se limita al componente vulnerable.
Confidentiality
Ninguno — sin impacto en confidencialidad.
Integrity
Bajo — el atacante puede modificar algunos datos con alcance limitado.
Availability
Ninguno — sin impacto en disponibilidad.

Software Afectado

Componentenextend-facebook-connect
Proveedorwordfence
Rango afectadoCorregido en
0 – 3.1.213.1.22

Información del paquete

Instalaciones activas
200KConocido
Valoración del plugin
4.9
Requiere WordPress
4.9+
Compatible hasta
6.9.4
Requiere PHP
7.4+
Sitio web

Clasificación de Debilidad (CWE)

CWE-352

Cronología

  1. Reservado
  2. Publicada
  3. Modificada
  4. EPSS actualizado

Mitigación y Workaroundstraduciendo…

The primary mitigation for CVE-2025-13737 is to immediately upgrade the Nextend Social Login and Register plugin to version 3.1.22 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting administrative access to the plugin's settings page, or implementing stricter input validation on the 'unlinkUser' function (though this requires custom code and careful testing). Monitor WordPress access logs for suspicious requests targeting the plugin's unlink functionality. After upgrading, verify the fix by attempting to trigger the unlink action with a forged request; it should be rejected due to proper nonce validation.

Cómo corregirlo

Actualizar a la versión 3.1.22, o una versión parcheada más reciente

Boletín de seguridad CVE

Análisis de vulnerabilidades y alertas críticas directamente en tu correo.

Preguntas frecuentestraduciendo…

What is CVE-2025-13737 — CSRF in Nextend Social Login and Register?

CVE-2025-13737 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0–3.1.21 of the Nextend Social Login and Register WordPress plugin, allowing attackers to potentially unlink user social logins.

Am I affected by CVE-2025-13737 in Nextend Social Login and Register?

You are affected if your WordPress site uses the Nextend Social Login and Register plugin in versions 0 through 3.1.21. Upgrade to 3.1.22 or later to mitigate the risk.

How do I fix CVE-2025-13737 in Nextend Social Login and Register?

Upgrade the Nextend Social Login and Register plugin to version 3.1.22 or later. If immediate upgrade is not possible, consider temporary workarounds like restricting admin access.

Is CVE-2025-13737 being actively exploited?

While no active exploitation has been confirmed, the vulnerability is relatively easy to exploit and a PoC could emerge. Monitor your systems for suspicious activity.

Where can I find the official Nextend Social Login and Register advisory for CVE-2025-13737?

Refer to the Nextend Social Login and Register plugin's official website or WordPress plugin repository for the latest advisory and update information.

¿Tu proyecto está afectado?

Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.

Escanear gratisBuscar CVEs