CVE-2025-13613 is an authentication bypass vulnerability classified under CWE-289 affecting the Elated Membership plugin for WordPress, versions up to and including 1.2. The vulnerability stems from improper handling of user authentication in the plugin's social login functions 'eltdf_membership_check_facebook_user' and 'eltdf_membership_login_user_from_social_network'. Specifically, the plugin fails to properly log in users based on previously verified social network data, allowing attackers to bypass authentication checks. An attacker with an existing user account on the site—which can be created via the plugin's default temporary user functionality—and access to the administrative user's email can exploit this flaw to log in as an administrator without valid credentials. This bypass does not require user interaction and can be exploited remotely over the network. The vulnerability impacts confidentiality, integrity, and availability, as attackers can gain full administrative control, potentially leading to data theft, site manipulation, or denial of service. The CVSS v3.1 base score is 9.8 (critical), reflecting the ease of exploitation (no privileges or user interaction required) and the severe impact. No patches or known exploits are currently reported, but the risk is high given the plugin's functionality and integration with WordPress sites. The vulnerability highlights a critical failure in the plugin's authentication logic, especially in handling social network login flows, which should always include robust verification before granting elevated privileges.

For European organizations, the impact of this vulnerability is substantial. Many businesses and institutions rely on WordPress for their web presence, and plugins like Elated Membership are commonly used to manage user memberships and social logins. Exploitation could allow attackers to gain administrative access, leading to unauthorized data access, modification, or deletion, and potentially the deployment of malware or ransomware. This could result in reputational damage, regulatory penalties under GDPR for data breaches, and operational disruptions. Organizations with sensitive or regulated data are particularly at risk. The requirement for access to the administrative user's email increases the attack complexity but also highlights the importance of email account security. Given the critical severity, exploitation could lead to full site compromise, impacting service availability and trustworthiness of affected organizations.

1. Immediately audit all WordPress sites using the Elated Membership plugin and identify versions up to 1.2. 2. Disable or remove the plugin until an official patch or update is released by Elated Themes. 3. Enforce strong email security measures for administrative accounts, including multi-factor authentication (MFA) and monitoring for suspicious access. 4. Restrict or disable the temporary user creation functionality if possible to reduce the attack surface. 5. Monitor logs for unusual login attempts, especially those involving social network authentication flows. 6. Implement Web Application Firewalls (WAF) with rules to detect and block suspicious authentication bypass attempts. 7. Educate administrators about phishing risks targeting their email accounts, as email access is a prerequisite for exploitation. 8. Once a patch is available, promptly apply it and verify the fix through testing. 9. Consider additional hardening of WordPress installations, such as limiting administrative user privileges and using security plugins that monitor authentication anomalies.