CVE-2025-13620
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to missing authorization in versions up to, and including, 3.1.3. This is due to the REST routes wslu/v1/check_cache/{type}, wslu/v1/save_cache/{type}, and wslu/v1/settings/clear_counter_cache being registered with permission_callback set to __return_true and lacking capability or nonce validation in their handlers. This makes it possible for unauthenticated attackers to clear or overwrite the social counter cache via crafted REST requests.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2025-12-05
EPSS Evaluated
2026-06-14
NVD
CVE-2025-13620
EUVD
EUVD-2025-201405
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress wp_social_login_and_register_social_counter 3.1.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Wp Social Login and Register Social Counter plugin for WordPress (up to version 3.1.3). It is caused by certain REST API routes being registered without proper authorization checks, allowing anyone to send crafted requests to clear or overwrite the social counter cache without authentication.

Impact Analysis

An unauthenticated attacker can clear or overwrite the social counter cache, potentially disrupting the accuracy of social login counters on the affected WordPress site. This could lead to misinformation about user activity or social interactions, impacting site functionality or user trust.

Mitigation Strategies

To mitigate this vulnerability, immediately update the Wp Social Login and Register Social Counter plugin to a version later than 3.1.3 where the issue is fixed. If an update is not available, consider disabling or removing the plugin to prevent exploitation. Additionally, restrict access to the vulnerable REST API endpoints by implementing proper authorization checks or firewall rules to block unauthenticated requests to the paths wslu/v1/check_cache/{type}, wslu/v1/save_cache/{type}, and wslu/v1/settings/clear_counter_cache.

Detection Guidance

You can detect this vulnerability by checking if your WordPress site with the Wp Social Login and Register Social Counter plugin (version up to 3.1.3) responds to unauthenticated REST API requests to the following endpoints: /wp-json/wslu/v1/check_cache/{type}, /wp-json/wslu/v1/save_cache/{type}, and /wp-json/wslu/v1/settings/clear_counter_cache. To test, you can use curl commands like: 1. curl -X POST https://your-site.com/wp-json/wslu/v1/save_cache/sometype 2. curl -X POST https://your-site.com/wp-json/wslu/v1/settings/clear_counter_cache 3. curl -X GET https://your-site.com/wp-json/wslu/v1/check_cache/sometype If these endpoints respond without authentication or permission errors, your site is vulnerable. Replace 'your-site.com' with your domain and 'sometype' with relevant cache types. Monitoring your web server logs for unauthorized POST or GET requests to these REST routes can also help detect exploitation attempts. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13620. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart