The Nextend Social Login Pro plugin for WordPress, widely used to enable social login capabilities, contains a critical vulnerability identified as CVE-2025-1061. This vulnerability is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and affects all versions up to and including 3.1.16. The root cause is insufficient verification of the user identity during the Apple OAuth authentication request handled by the plugin. Specifically, the plugin fails to properly validate that the user associated with the OAuth token matches the intended user account, allowing an attacker who knows a valid user's email address to bypass authentication controls. This flaw enables unauthenticated attackers to impersonate any user, including administrators, thereby gaining unauthorized access to the WordPress site. The vulnerability requires no privileges and no user interaction, making it trivially exploitable remotely over the network. The CVSS v3.1 base score is 9.8, reflecting the ease of exploitation and the severe impact on confidentiality, integrity, and availability of the affected systems. Although no active exploits have been reported yet, the critical nature of the flaw and the popularity of the plugin make it a high-risk target for attackers. The plugin's lack of a patch at the time of disclosure increases the urgency for mitigation measures.

The impact of CVE-2025-1061 is severe for organizations using the Nextend Social Login Pro plugin. Successful exploitation allows attackers to bypass authentication and log in as any user, including administrators, without credentials. This can lead to full site compromise, data theft, unauthorized content modification, installation of backdoors or malware, and disruption of services. For e-commerce, membership, or content management sites, this can result in financial loss, reputational damage, and regulatory penalties due to data breaches. The vulnerability affects the confidentiality of user data, the integrity of website content and configurations, and the availability of the site if attackers choose to disrupt services. Since no user interaction or prior authentication is required, the attack surface is broad, and automated exploitation is feasible. Organizations worldwide running WordPress sites with this plugin are at risk, especially those with high-value user accounts or sensitive data.

1. Immediately update the Nextend Social Login Pro plugin to a patched version once available from the vendor. Monitor official channels for patch releases. 2. If a patch is not yet available, disable the Apple OAuth login feature within the plugin to prevent exploitation. 3. Implement additional access controls such as IP whitelisting or web application firewalls (WAF) to detect and block suspicious authentication requests targeting the plugin endpoints. 4. Monitor authentication logs for unusual login attempts or successful logins from unexpected IP addresses or user agents. 5. Enforce multi-factor authentication (MFA) on all administrative accounts to reduce the impact of compromised credentials. 6. Regularly audit user accounts and permissions to ensure no unauthorized changes have occurred. 7. Consider temporarily disabling the Nextend Social Login Pro plugin if the risk is unacceptable and no mitigations are feasible. 8. Educate site administrators about the vulnerability and encourage prompt action to reduce exposure time.