The External Login plugin for WordPress, developed by tbenyon, suffers from a sensitive information exposure vulnerability identified as CVE-2025-11196. This vulnerability arises from insufficient access control in the 'exlog_test_connection' AJAX action, which lacks both capability checks and nonce validation. As a result, any authenticated user with subscriber-level privileges or higher can invoke this AJAX endpoint to perform diagnostic tests against the configured external database. The response from this diagnostic test includes truncated usernames, email addresses, and password hashes, thereby leaking sensitive user information. The vulnerability affects all versions up to and including 1.11.2. The CVSS v3.1 base score is 4.3, reflecting a medium severity primarily due to the requirement for authenticated access and the limited scope of data exposure. The flaw does not impact data integrity or availability but compromises confidentiality. No patches are currently linked, and no known exploits have been reported in the wild. The vulnerability is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

This vulnerability poses a confidentiality risk to organizations using the External Login plugin on WordPress sites. Attackers with low-level authenticated access (subscriber or above) can extract sensitive user data, including partial usernames, email addresses, and password hashes. Exposure of password hashes increases the risk of offline brute-force or cracking attacks, potentially leading to account compromise. The leakage of email addresses and usernames can facilitate targeted phishing or social engineering attacks. Although the vulnerability does not affect system integrity or availability, the compromise of user credentials and personal information can damage organizational reputation, violate privacy regulations, and lead to unauthorized access to user accounts. The impact is particularly significant for organizations with sensitive user data or regulatory compliance requirements.

To mitigate this vulnerability, organizations should immediately upgrade the External Login plugin to a patched version once available. In the absence of an official patch, administrators should disable or restrict access to the 'exlog_test_connection' AJAX action by implementing custom capability checks that limit access to trusted administrator roles only. Adding nonce validation to the AJAX endpoint can prevent unauthorized requests. Additionally, monitoring WordPress logs for unusual AJAX requests and limiting subscriber-level user capabilities can reduce exploitation risk. Employing Web Application Firewalls (WAFs) with rules to detect and block suspicious AJAX calls targeting this endpoint is recommended. Regularly auditing user roles and permissions to ensure minimal necessary access will also help mitigate potential abuse. Finally, organizations should consider resetting user passwords if exposure is suspected.