CVE-2025-11196 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the External Login plugin for WordPress, developed by tbenyon. The flaw exists in all versions up to and including 1.11.2 due to the 'exlog_test_connection' AJAX action lacking both capability checks and nonce validation. This means that any authenticated user with subscriber-level privileges or higher can invoke this AJAX endpoint to perform diagnostic tests that query the configured external database. The response includes truncated usernames, email addresses, and password hashes, exposing sensitive user data that should be protected. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network (AV:N). The attack complexity is low (AC:L) since no additional conditions are needed beyond subscriber access. The impact is limited to confidentiality (C:L), with no integrity or availability effects. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, resulting in a medium severity score of 4.3. No patches or mitigations have been officially released at the time of publication, and no known exploits have been observed in the wild. The vulnerability poses a risk primarily to WordPress sites using the External Login plugin that integrate with external databases for authentication, potentially exposing user credentials and personal information to low-privileged insiders or compromised accounts.

For European organizations, this vulnerability could lead to unauthorized disclosure of user credentials and personal information stored in external authentication databases. This exposure increases the risk of credential reuse attacks, phishing, and lateral movement within compromised networks. Organizations relying on WordPress sites with the External Login plugin for employee portals, customer-facing applications, or partner integrations may face data privacy violations under GDPR due to unauthorized access to personal data such as email addresses. Although the vulnerability requires authenticated access, subscriber-level accounts are common and often easier to compromise or obtain through social engineering. The exposure of password hashes, even if truncated, can facilitate offline cracking attempts, potentially leading to further account compromises. The absence of patches means organizations must rely on compensating controls until updates are available. The impact on availability and integrity is negligible, but confidentiality breaches can damage reputation and incur regulatory penalties.

1. Immediately audit WordPress sites using the External Login plugin to identify affected versions (up to 1.11.2). 2. Restrict subscriber-level user capabilities and review user roles to minimize unnecessary access. 3. Implement strict monitoring and logging of AJAX requests, particularly those invoking 'exlog_test_connection', to detect suspicious activity. 4. Disable or restrict access to the External Login plugin’s diagnostic features if possible, using web application firewalls or custom code to block unauthorized AJAX calls. 5. Enforce strong authentication mechanisms and consider multi-factor authentication to reduce the risk of account compromise. 6. Regularly update WordPress and plugins once patches become available from the vendor. 7. Conduct password resets for users if exposure is suspected, especially if password hashes may have been leaked. 8. Educate users about phishing and social engineering risks to prevent credential theft. 9. Review external database access logs for unusual queries or connections. 10. Consider isolating external authentication databases from the WordPress environment to limit exposure.