CVE-2025-13620 identifies a missing authorization vulnerability (CWE-862) in the Wp Social Login and Register Social Counter plugin for WordPress, versions up to and including 3.1.3. The vulnerability stems from three REST API endpoints: wslu/v1/check_cache/{type}, wslu/v1/save_cache/{type}, and wslu/v1/settings/clear_counter_cache, which are registered with a permission_callback set to __return_true. This configuration means that these endpoints do not enforce any permission checks or nonce validation, allowing any unauthenticated user to invoke them. Consequently, attackers can send crafted REST requests to clear or overwrite the social counter cache, which is used to track social login and registration metrics on WordPress sites. Although the vulnerability does not expose confidential data or disrupt service availability, it compromises data integrity by enabling unauthorized modification of social counter information. The CVSS v3.1 score is 5.3 (medium severity), reflecting the network attack vector, low complexity, no privileges required, and no user interaction needed. There are no known exploits in the wild at this time, and no official patches have been linked yet. The vulnerability was published on December 5, 2025, and assigned by Wordfence. Organizations relying on this plugin for social login and registration analytics should be aware of the risk of data tampering and potential reputational impact due to inaccurate social metrics.

For European organizations, the primary impact of this vulnerability is the unauthorized modification of social counter cache data, which can lead to inaccurate social login and registration statistics. This may affect marketing analytics, user engagement tracking, and decision-making processes that rely on these metrics. While the vulnerability does not directly compromise sensitive user data or system availability, the integrity loss could undermine trust in reported social metrics and potentially mask malicious activities or fraudulent user registrations. Organizations with high reliance on social login features and social counters for user analytics, especially e-commerce, media, and community platforms, may experience operational disruptions or reputational damage. Additionally, attackers could use the altered data as part of broader social engineering or misinformation campaigns. The lack of authentication requirements and ease of exploitation increase the risk of automated attacks targeting vulnerable WordPress sites across Europe.

1. Monitor for official patches or updates from the plugin vendor and apply them promptly once released. 2. Until patches are available, restrict access to the vulnerable REST API endpoints by implementing web application firewall (WAF) rules that block unauthenticated requests to wslu/v1/check_cache/*, wslu/v1/save_cache/*, and wslu/v1/settings/clear_counter_cache. 3. Use WordPress security plugins that can limit REST API access to authenticated users or specific roles. 4. Implement nonce validation and capability checks in custom code or through plugin modifications if feasible. 5. Regularly audit social counter data for anomalies or unexpected changes that could indicate exploitation. 6. Educate site administrators about the risks of using outdated plugins and encourage timely updates. 7. Consider disabling or replacing the vulnerable plugin with alternatives that follow secure coding practices. 8. Employ network-level protections such as IP whitelisting or VPN access for administrative REST API calls where possible.