The FindAll Membership plugin for WordPress, developed by Elated Themes, suffers from a critical authentication bypass vulnerability identified as CVE-2025-13539. This vulnerability stems from improper handling of user authentication states within the plugin's integration with social login mechanisms, specifically the 'findall_membership_check_facebook_user' and 'findall_membership_check_google_user' functions. These functions verify user data from Facebook and Google OAuth flows, but the plugin fails to properly log in the user after verification, allowing attackers to bypass normal authentication checks. An attacker can exploit this by first creating a temporary user account via the plugin's default temp user functionality, which requires no special privileges. Then, by leveraging access to the administrative user's email, the attacker can impersonate the admin and gain full administrative access to the WordPress site. This bypass does not require any user interaction or prior authentication, making it highly exploitable remotely over the network. The vulnerability affects all versions up to and including 1.0.4 of the plugin. The CVSS v3.1 base score is 9.8 (critical), reflecting the ease of exploitation (network vector, no privileges, no user interaction) and the severe impact on confidentiality, integrity, and availability of the affected systems. Although no public exploits have been reported yet, the vulnerability poses a significant risk to any WordPress site using this plugin, especially those relying on social login features. The lack of available patches at the time of disclosure further increases the urgency for mitigation.

The impact of CVE-2025-13539 is severe and wide-ranging for organizations using the FindAll Membership plugin. Successful exploitation grants attackers full administrative privileges on the WordPress site, enabling them to modify site content, steal sensitive data, install malware, or disrupt site availability. This compromises confidentiality by exposing user data and administrative credentials, integrity by allowing unauthorized changes to site content and configurations, and availability by potentially enabling denial-of-service or destructive actions. Since WordPress powers a significant portion of websites globally, including e-commerce, membership, and content management platforms, the vulnerability could lead to data breaches, reputational damage, financial loss, and regulatory penalties. The ease of exploitation without authentication or user interaction makes it attractive for automated attacks and widespread exploitation once public exploits emerge. Organizations relying on social login integrations and temporary user creation features are particularly at risk. The lack of a patch at disclosure increases the window of exposure, necessitating immediate defensive measures.

To mitigate CVE-2025-13539 effectively, organizations should: 1) Immediately disable the FindAll Membership plugin or its social login features until a patched version is released. 2) Restrict or disable the temporary user creation functionality to prevent attackers from creating accounts that facilitate the bypass. 3) Implement additional authentication controls such as multi-factor authentication (MFA) for administrative accounts to reduce the risk of unauthorized access even if credentials are compromised. 4) Monitor administrative account email inboxes for suspicious activity, as access to these emails is a prerequisite for exploitation. 5) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious login attempts or unusual authentication flows related to the plugin. 6) Review and tighten WordPress user role assignments and permissions to minimize the impact of any unauthorized access. 7) Stay updated with vendor advisories and apply patches promptly once available. 8) Conduct thorough audits of WordPress sites using this plugin to identify any signs of compromise or unauthorized access. These targeted steps go beyond generic advice by focusing on the specific attack vectors and plugin features involved in the vulnerability.