WordPress Plugin Vulnerability Let Attackers Bypass Authentication via Social Login
A critical authentication bypass vulnerability in the Case Theme User WordPress plugin has emerged as a significant security threat, allowing unauthenticated attackers to gain administrative access to websites by exploiting the social login functionality.
The vulnerability, tracked as CVE-2025-5821 with a CVSS score of 9.8, affects all versions of the plugin up to 1.0.3 and impacts an estimated 12,000 active installations worldwide.
The security flaw enables malicious actors to bypass authentication mechanisms entirely, granting them unauthorized access to any user account, including administrator-level privileges, provided they know or can discover the target’s email address.
What makes this vulnerability particularly dangerous is its simplicity—attackers can exploit it through straightforward HTTP requests without requiring sophisticated tools or extensive technical knowledge.
Active exploitation began almost immediately after the vulnerability’s public disclosure on August 22, 2025, with threat actors launching attacks the following day.
Wordfence analysts identified the vulnerability through their bug bounty program and noted that the security firm’s firewall has already blocked over 20,900 exploit attempts targeting this specific weakness.
The rapid onset of exploitation demonstrates the vulnerability’s appeal to cybercriminals seeking quick access to WordPress sites.
The plugin is bundled with multiple premium themes, significantly expanding the attack surface beyond standalone installations.
Attackers have been observed attempting to guess administrative email addresses using common patterns such as [email protected], [email protected], and [email protected], suggesting a systematic approach to exploitation across multiple targets.
Exploitation Mechanism and Code Analysis
The vulnerability stems from flawed logic in the facebook_ajax_login_callback() function within the Case_Theme_User_Ajax class.
.webp)
Exploit process (Source – Wordfence)
The function processes social login requests by creating user accounts based on supplied email addresses, but fails to properly validate the authentication state before granting access.
The exploit process involves two distinct phases. Initially, attackers register a temporary user account using their own email address through a POST request to/wp-admin/admin-ajax.php with the action parameter set to facebook_ajax_login.
The malicious payload includes fabricated Facebook user data, such as data[name]=temp and data[email][email protected], creating a legitimate user session.
In the second phase, attackers leverage the established session to authenticate as the target victim by submitting another request using the same temporary username but substituting the victim’s email address.
The vulnerable code retrieves the user by email rather than verifying the original authentication token, effectively transferring session privileges to the target account.
The patch released in version 1.0.4 addresses this logic flaw by implementing proper authentication verification before granting access rights.
Website administrators should immediately update to the latest version and review their access logs for suspicious AJAX requests originating from known malicious IP addresses, including 2602:ffc8:2:105:216:3cff:fe96:129f and 146.70.186.142.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
The post WordPress Plugin Vulnerability Let Attackers Bypass Authentication via Social Login appeared first on Cyber Security News.
>>More