The FindAll Membership plugin for WordPress, developed by Elated Themes, suffers from a critical authentication bypass vulnerability identified as CVE-2025-13539. This vulnerability stems from improper handling of user authentication via social login verification functions 'findall_membership_check_facebook_user' and 'findall_membership_check_google_user'. The plugin fails to properly log in users after these checks, allowing an attacker to bypass normal authentication mechanisms. Exploitation requires the attacker to have an existing user account, which can be created through the plugin's temporary user functionality by default, and access to the administrative user's email account. By leveraging these conditions, an attacker can impersonate administrative users without valid credentials or authentication steps. The vulnerability impacts all versions up to and including 1.0.4. The CVSS v3.1 score of 9.8 reflects the vulnerability's critical nature, with network attack vector, no required privileges, no user interaction, and full impact on confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the ease of exploitation and the potential for complete site takeover make this a severe threat. The lack of available patches necessitates immediate defensive actions by site administrators. This vulnerability highlights the risks of improper authentication logic in plugins that integrate third-party social login mechanisms.

For European organizations, this vulnerability poses a severe risk of unauthorized administrative access to WordPress sites using the FindAll Membership plugin. Successful exploitation can lead to full site compromise, including data theft, defacement, malware implantation, and disruption of services. Confidential information stored or managed via the site can be exposed or altered, damaging organizational reputation and potentially violating data protection regulations such as GDPR. The ability to bypass authentication without user interaction or privileges increases the likelihood of automated attacks. Organizations relying on this plugin for membership management or subscription services may face operational disruptions and financial losses. Additionally, attackers gaining administrative access could leverage the compromised site as a pivot point for further attacks within the organization's network. The impact is particularly critical for sectors with sensitive data or high regulatory scrutiny, such as finance, healthcare, and e-commerce within Europe.

Immediate mitigation steps include disabling the FindAll Membership plugin until a secure patch is released by Elated Themes. If disabling is not feasible, restrict access to administrative accounts by implementing IP whitelisting or multi-factor authentication at the WordPress login level. Review and audit all user accounts created via the plugin's temporary user functionality and remove any suspicious or unverified accounts. Monitor administrative login activity for anomalies, especially logins originating from unusual IP addresses or times. Implement email security best practices to protect administrative email accounts, including enforcing strong passwords and multi-factor authentication, to prevent attackers from leveraging email access. Consider deploying a Web Application Firewall (WAF) with custom rules to detect and block exploitation attempts targeting the vulnerable plugin functions. Stay alert for vendor updates or community patches and apply them promptly. Conduct a thorough security assessment of affected WordPress installations to identify any signs of compromise. Finally, educate site administrators about the risks of social login integrations and the importance of secure plugin management.