CVE-2025-13620 identifies a missing authorization vulnerability (CWE-862) in the roxnor Wp Social Login and Register Social Counter WordPress plugin, affecting all versions up to and including 3.1.3. The vulnerability stems from three REST API routes: wslu/v1/check_cache/{type}, wslu/v1/save_cache/{type}, and wslu/v1/settings/clear_counter_cache. These endpoints are registered with a permission_callback set to __return_true, effectively disabling any permission checks. Consequently, unauthenticated attackers can send crafted REST requests to these endpoints to clear or overwrite the social counter cache, which tracks social login and registration metrics. This flaw does not require authentication or user interaction, making it trivially exploitable remotely. The impact is limited to integrity, as attackers can manipulate social counter data, potentially skewing analytics or misleading site administrators. There is no direct impact on confidentiality or availability. No patches or fixes are currently linked, and no known exploits have been observed in the wild. The vulnerability was reserved on 2025-11-24 and published on 2025-12-05 with a CVSS v3.1 base score of 5.3 (medium severity), reflecting its moderate impact and ease of exploitation. The root cause is the lack of capability or nonce validation in the REST API handlers, violating secure coding practices for WordPress plugins that expose REST endpoints.

The primary impact of CVE-2025-13620 is the unauthorized modification of social counter cache data within affected WordPress sites. This can lead to inaccurate social login and registration metrics, potentially affecting business decisions, marketing analytics, and user engagement assessments. While this does not directly compromise user data confidentiality or site availability, the integrity loss can undermine trust in site analytics and reporting. Attackers could exploit this vulnerability to manipulate counters for fraudulent purposes or to disrupt the accuracy of social engagement statistics. Since the vulnerability requires no authentication and no user interaction, it can be exploited remotely by any attacker aware of the REST endpoints. Organizations relying on this plugin for social login metrics may face reputational damage or operational confusion if counters are tampered with. The lack of known exploits reduces immediate risk, but the ease of exploitation and public disclosure increase the likelihood of future attacks.

To mitigate CVE-2025-13620, organizations should first check for plugin updates or patches from the vendor roxnor and apply them promptly once available. In the absence of official patches, administrators should restrict access to the vulnerable REST API endpoints by implementing server-level controls such as IP whitelisting or web application firewall (WAF) rules that block unauthorized REST requests targeting the affected routes. Additionally, disabling or removing the Wp Social Login and Register Social Counter plugin if it is not essential can eliminate the attack surface. For sites requiring the plugin, custom code can be added to enforce capability checks or nonce validation on the vulnerable REST routes, ensuring only authorized users can invoke these endpoints. Monitoring REST API access logs for unusual or repeated requests to the specified endpoints can help detect exploitation attempts. Finally, educating site administrators about the risks of exposing REST endpoints without proper authorization and following WordPress secure development guidelines will reduce similar vulnerabilities in the future.