CVE-2025-11196
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-10-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | external_login | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the External Login plugin for WordPress up to version 1.11.2. It occurs because the 'exlog_test_connection' AJAX action does not have proper capability checks or nonce validation. As a result, authenticated users with subscriber-level access or higher can exploit this to query the external database configured in the plugin and retrieve sensitive information such as truncated usernames, email addresses, and password hashes through the diagnostic test results view.
How can this vulnerability impact me? :
The vulnerability can lead to sensitive information exposure, allowing attackers with low-level authenticated access to obtain usernames, email addresses, and password hashes. This exposure can increase the risk of further attacks such as credential stuffing, phishing, or unauthorized access to user accounts, potentially compromising the security of the affected WordPress site and its users.