CVE-2025-13613 is an authentication bypass vulnerability classified under CWE-289 affecting the Elated Membership plugin for WordPress, versions up to and including 1.2. The vulnerability stems from improper handling of user authentication when logging in users via social network integration functions 'eltdf_membership_check_facebook_user' and 'eltdf_membership_login_user_from_social_network'. Specifically, the plugin fails to properly verify credentials during login, relying instead on previously verified data without reauthentication. This flaw enables unauthenticated attackers to bypass normal login procedures and gain administrative access if they have an existing user account, which can be created easily through the plugin's temporary user functionality. Additionally, the attacker must have access to the administrative user's email, which is often used as an identifier in the authentication process. The vulnerability has a CVSS 3.1 base score of 9.8, reflecting its critical severity with network attack vector, low attack complexity, no privileges or user interaction required, and full impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the potential for full site compromise is significant. The lack of available patches at the time of publication increases the urgency for organizations to implement interim mitigations or monitor for suspicious activity. This vulnerability highlights the risks of improper authentication logic in plugins that integrate social login features and the importance of securing administrative email accounts.

For European organizations, this vulnerability poses a critical risk to WordPress sites using the Elated Membership plugin, potentially allowing attackers to gain unauthorized administrative access. This can lead to complete site takeover, data theft, defacement, or deployment of malware, severely impacting business operations and reputation. Confidential information stored or managed via the affected sites could be exposed or altered, violating data protection regulations such as GDPR. The ease of exploitation without user interaction or privileges increases the likelihood of targeted attacks, especially against organizations with high-value web assets or sensitive user data. Additionally, attackers leveraging administrative email access could bypass multi-factor authentication if email is used as a recovery or verification channel. The resulting compromise could disrupt service availability and lead to regulatory penalties and loss of customer trust. Organizations relying on this plugin should consider the threat critical and prioritize remediation to avoid significant operational and compliance impacts.

1. Immediately audit all WordPress sites using the Elated Membership plugin to identify affected versions (up to 1.2). 2. If a patch is released, apply it promptly. In the absence of a patch, disable the plugin or restrict its usage to trusted administrators only. 3. Restrict access to administrative email accounts by enforcing strong authentication methods, including multi-factor authentication and monitoring for suspicious access. 4. Review and harden user account creation policies to prevent unauthorized temporary user creation, including disabling or limiting the temp user functionality if possible. 5. Implement web application firewalls (WAF) with custom rules to detect and block suspicious login attempts related to social network authentication endpoints. 6. Monitor logs for unusual login patterns, especially logins originating from social network authentication functions or from IP addresses not associated with legitimate users. 7. Educate administrators about the risks of this vulnerability and encourage immediate reporting of any suspicious activity. 8. Consider isolating critical WordPress instances or deploying additional layers of access control to limit the impact of potential compromises. 9. Regularly back up site data and configurations to enable rapid recovery in case of compromise.