CVE-2025-13539 is an authentication bypass vulnerability categorized under CWE-288, affecting the FindAll Membership plugin for WordPress developed by Elated Themes. The vulnerability exists because the plugin does not properly complete the login process after verifying user identity through the 'findall_membership_check_facebook_user' and 'findall_membership_check_google_user' functions. These functions validate users via OAuth tokens from Facebook and Google, but the plugin fails to securely bind this verification to the WordPress authentication session. Consequently, an attacker who can create a temporary user account (a feature enabled by default) and who has access to an administrative user's email can bypass authentication and log in as that administrator. This bypass does not require any prior privileges or user interaction, making it remotely exploitable over the network. The vulnerability affects all versions up to and including 1.0.4, with no patches currently available. The CVSS v3.1 score of 9.8 reflects the critical nature of this flaw, with network attack vector, low attack complexity, no privileges required, no user interaction, and full impact on confidentiality, integrity, and availability. Although no known exploits are reported in the wild, the vulnerability poses a severe risk of complete site takeover, data theft, and potential further exploitation of the hosting environment.

For European organizations, this vulnerability poses a significant threat to WordPress sites using the FindAll Membership plugin, particularly those relying on Facebook or Google OAuth for user authentication. Successful exploitation allows attackers to gain administrative privileges, leading to full control over the website, including content manipulation, data exfiltration, and deployment of malicious code or ransomware. This can result in severe reputational damage, regulatory penalties under GDPR due to unauthorized access to personal data, and operational disruption. Organizations in sectors such as e-commerce, education, and public services that often use membership plugins for user management are especially vulnerable. The ease of exploitation and lack of required privileges increase the likelihood of attacks, potentially targeting high-profile European entities. Additionally, attackers with access to administrative emails can leverage this flaw to escalate privileges, making email security a critical factor in the impact assessment.

Immediate mitigation steps include disabling the FindAll Membership plugin until a secure patch is released by Elated Themes. Organizations should audit user accounts created via the temporary user functionality and restrict or disable this feature if possible. Strengthening email security for administrative users by enforcing multi-factor authentication (MFA) and monitoring for suspicious email activity can reduce the risk of attackers leveraging email access. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block abnormal login attempts related to OAuth flows can provide temporary protection. Regularly monitoring WordPress logs for unusual authentication patterns and restricting administrative access by IP or VPN can further reduce exposure. Organizations should also prepare incident response plans specific to WordPress compromises and ensure backups are current and tested. Coordination with the plugin vendor for timely patch deployment is essential once a fix becomes available.