CVE-2025-11522 is a critical vulnerability classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) found in the Search & Go - Directory WordPress Theme by Elated-Themes. The vulnerability affects all versions up to and including 2.7 and stems from insufficient user validation within the function search_and_go_elated_check_facebook_user(), which handles Facebook login authentication. This flaw allows unauthenticated attackers to bypass normal authentication mechanisms and assume the identity of other users, including those with administrative privileges, without needing any credentials or user interaction. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making it highly accessible to attackers. Successful exploitation compromises confidentiality, integrity, and availability by granting attackers full control over user accounts, potentially leading to data theft, site defacement, or further malware deployment. Although no public exploits have been reported yet, the vulnerability's nature and high CVSS score (9.8) indicate a significant risk. The lack of an official patch at the time of disclosure necessitates immediate mitigation efforts by site administrators. The vulnerability is particularly relevant to WordPress sites using the Search & Go theme with Facebook login enabled, which is common in directory and listing websites. The technical root cause is a failure to properly validate the authenticity of Facebook user tokens or sessions, allowing attackers to craft requests that impersonate legitimate users.

For European organizations, this vulnerability poses a severe threat, especially for those operating directory or listing websites using the Search & Go WordPress theme with Facebook login enabled. Successful exploitation can lead to unauthorized access to sensitive user data, including personal information and administrative controls, resulting in data breaches and loss of trust. Attackers gaining admin access can manipulate website content, inject malicious code, or disrupt services, impacting business continuity and reputation. Given the widespread use of WordPress across Europe and the popularity of Facebook login for user convenience, many organizations could be exposed. The breach of administrator accounts could also facilitate lateral movement within corporate networks if the website is integrated with internal systems. Regulatory implications under GDPR are significant, as unauthorized data access could lead to substantial fines and legal consequences. The threat is amplified by the ease of exploitation and the absence of required authentication or user interaction, making automated attacks feasible. Organizations relying on this theme for customer engagement or lead generation may face operational and financial impacts due to downtime or remediation costs.

Immediate mitigation steps include disabling Facebook login functionality within the Search & Go theme until an official patch is released by Elated-Themes. Site administrators should monitor user account activity for suspicious logins or changes, especially focusing on administrator accounts. Implementing multi-factor authentication (MFA) for WordPress admin accounts can reduce the risk of account takeover even if authentication bypass occurs. Regular backups of website data and configurations should be maintained to enable rapid recovery in case of compromise. Network-level protections such as Web Application Firewalls (WAFs) should be configured to detect and block anomalous requests targeting the vulnerable function or Facebook login endpoints. Administrators should audit installed plugins and themes to ensure no other components introduce similar risks. Once a patch is available, prompt application is critical. Additionally, organizations should review Facebook app permissions and OAuth configurations to ensure they follow best practices and minimize attack surface. Security awareness training for site administrators about this vulnerability and its exploitation methods can improve detection and response capabilities.