Plataforma
wordpress
Componente
heateor-social-login
Corrigido em
1.1.40
CVE-2025-68998 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Heateor Social Login plugin for WordPress. This vulnerability allows an attacker to trick authenticated users into unknowingly performing actions they did not intend, potentially leading to unauthorized modifications or data exposure. The vulnerability affects versions from 0.0 up to and including 1.1.39, and a patch is expected to be released by the vendor.
A successful CSRF attack could allow an attacker to manipulate user accounts within the Heateor Social Login plugin. This could involve changing social login settings, disconnecting existing social accounts, or even potentially gaining access to sensitive user data if the plugin interacts with other systems. The impact is amplified if the plugin is used in conjunction with other plugins or services that rely on the social login functionality, as the attacker could potentially leverage the CSRF to compromise those systems as well. While the CVSS score is medium, the potential for widespread impact across WordPress sites using this plugin warrants immediate attention.
As of the publication date (2025-12-30), there is no indication of active exploitation of CVE-2025-68998. Public proof-of-concept (POC) code is currently unavailable. The vulnerability has not been added to the CISA KEV catalog. The medium CVSS score suggests a moderate probability of exploitation if a POC is released.
WordPress websites utilizing the Heateor Social Login plugin, particularly those with a large user base or that handle sensitive user data, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one website could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'heateor-social-login' /var/www/html/wp-content/plugins/
wp plugin list | grep heateor-social-login• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/heateor-social-login/ | grep -i 'heateor-social-login'disclosure
Status do Exploit
EPSS
0.02% (percentil 5%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-68998 is to upgrade to a patched version of the Heateor Social Login plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive forms and actions within the plugin. Web Application Firewalls (WAFs) can also be configured to detect and block malicious CSRF requests. Monitor WordPress logs for suspicious activity, particularly requests originating from unfamiliar sources or exhibiting unusual patterns.
Nenhum patch conhecido disponível. Por favor, revise os detalhes da vulnerabilidade em profundidade e implemente mitigações com base na tolerância ao risco da sua organização. Pode ser melhor desinstalar o software afetado e encontrar um substituto.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-68998 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Heateor Social Login versions 0.0 through 1.1.39. An attacker can trick users into performing unintended actions.
If you are using Heateor Social Login version 0.0 to 1.1.39 on your WordPress site, you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade to the latest version of Heateor Social Login as soon as a patch is released by the vendor. Until then, consider implementing CSRF token protections.
As of the publication date, there is no evidence of active exploitation of CVE-2025-68998. However, this could change if a public proof-of-concept is released.
Refer to the Heateor website and WordPress plugin repository for official announcements and updates regarding CVE-2025-68998.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.