PT-2025-49240 · WordPress · Wp Social Login/Register Social Counter
Dmitry Ignatyev
·
Published
2025-12-05
·
Updated
2025-12-05
·
CVE-2025-13620
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Wp Social Login and Register Social Counter plugin versions prior to 3.1.4
Description
The Wp Social Login and Register Social Counter plugin for WordPress has an issue with missing authorization. REST routes including
/wslu/v1/check cache/{type}, /wslu/v1/save cache/{type}, and /wslu/v1/settings/clear counter cache are registered without proper capability or nonce validation in their handlers. This allows unauthenticated attackers to clear or overwrite the social counter cache using crafted REST requests. The permission callback is set to return true, bypassing security checks.Recommendations
Update the Wp Social Login and Register Social Counter plugin to version 3.1.4 or later.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Social Login/Register Social Counter