CVE-2025-11522 is a critical authentication bypass vulnerability classified under CWE-288, affecting the Search & Go - Directory WordPress Theme by Elated-Themes, specifically all versions up to and including 2.7. The root cause is insufficient user validation in the function search_and_go_elated_check_facebook_user(), which is responsible for verifying Facebook login credentials. This flaw allows unauthenticated attackers to bypass normal authentication mechanisms and gain unauthorized access to other users' accounts, including those with administrative privileges. The vulnerability is exploitable remotely without requiring any prior authentication or user interaction, making it highly dangerous. The attack vector is network-based, and the scope is unchanged, meaning the vulnerability affects only the vulnerable theme installations but can fully compromise those systems. The CVSS v3.1 base score is 9.8, indicating critical severity with high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the simplicity of exploitation and the potential for complete site takeover make this a high-priority threat. The vulnerability specifically impacts WordPress sites using the Search & Go theme with Facebook login enabled, a common configuration for directory and listing websites. The lack of an official patch at the time of disclosure increases the urgency for mitigation. The vulnerability highlights the risks of third-party theme integrations with social login features when proper validation is not enforced.

The impact of CVE-2025-11522 is severe for organizations running WordPress sites with the Search & Go - Directory theme and Facebook login enabled. Successful exploitation results in full account takeover, including administrative accounts, allowing attackers to manipulate site content, steal sensitive user data, install backdoors, or disrupt site availability. This can lead to data breaches, reputational damage, loss of customer trust, and potential regulatory penalties depending on the data involved. Since WordPress powers a significant portion of websites globally, and directory themes are often used by businesses, local governments, and service providers, the scope of impact can be broad. Attackers can leverage this vulnerability to pivot into internal networks if the WordPress site is connected to other enterprise systems. The ease of exploitation without authentication or user interaction further amplifies the risk, making automated mass scanning and exploitation plausible once exploit code becomes available. Organizations that rely on Facebook login for user convenience are particularly vulnerable, as disabling this feature may be the only immediate mitigation before patches are released.

1. Immediately disable Facebook login functionality in the Search & Go theme until a security patch is released by Elated-Themes. 2. Monitor authentication logs for unusual login patterns or multiple failed attempts that could indicate exploitation attempts. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the vulnerable function or Facebook login endpoints. 4. Restrict administrative access by IP whitelisting or multi-factor authentication to reduce the impact of compromised accounts. 5. Regularly audit user accounts for unauthorized changes or new administrative users. 6. Keep WordPress core, plugins, and themes updated and subscribe to vendor security advisories for timely patch application. 7. If possible, temporarily disable or limit Facebook login integration site-wide or replace it with alternative authentication methods. 8. Conduct penetration testing focused on authentication mechanisms to identify similar weaknesses. 9. Prepare incident response plans to quickly isolate and remediate compromised systems if exploitation is detected. 10. Educate site administrators about the risks of social login features and the importance of strict validation.