CVE-2025-13737 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Nextend Social Login and Register plugin for WordPress, present in all versions up to and including 3.1.21. The vulnerability stems from the absence or improper implementation of nonce validation in the 'unlinkUser' function, which is responsible for unlinking a user's social login account from their WordPress profile. Nonces are security tokens used to verify that a request originates from a legitimate source, preventing unauthorized actions. Without proper nonce validation, an attacker can craft a malicious request that, when executed by a logged-in administrator (e.g., by clicking a link), causes the unlinking of a social login account without the administrator's explicit consent. This attack vector requires no authentication by the attacker but does require user interaction from an administrator, making exploitation feasible in targeted phishing or social engineering scenarios. The vulnerability affects the integrity of user account linkage, potentially disrupting user authentication flows or causing administrative confusion. The CVSS 3.1 score of 4.3 reflects a medium severity level, considering the network attack vector, low attack complexity, no privileges required, but requiring user interaction and limited impact confined to integrity. No public exploits have been reported, but the widespread use of WordPress and this plugin increases the potential attack surface. The vulnerability highlights the importance of proper nonce implementation in WordPress plugins to defend against CSRF attacks.

The primary impact of this vulnerability is on the integrity of user account linkage within WordPress sites using the Nextend Social Login and Register plugin. An attacker can cause an administrator to unlink social login accounts, potentially disrupting user authentication and causing administrative overhead to restore correct configurations. While this does not directly compromise user credentials or site availability, it can degrade user experience and trust, especially on sites relying heavily on social login functionality. In environments where social login is critical for user access or where administrative workflows depend on linked accounts, this could lead to operational disruptions. Additionally, attackers might leverage this unlinking to facilitate further attacks or social engineering by confusing users or administrators. Since exploitation requires administrator interaction, the risk is mitigated somewhat but remains significant for targeted attacks. Organizations worldwide using this plugin are at risk, particularly those with high administrative activity and reliance on social login features.

To mitigate this vulnerability, organizations should immediately update the Nextend Social Login and Register plugin to a version that includes proper nonce validation on the 'unlinkUser' function once available. Until a patch is released, administrators should implement the following specific measures: 1) Restrict administrative access and ensure administrators are trained to recognize and avoid clicking suspicious links, especially from untrusted sources. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block CSRF attack patterns targeting the unlinkUser endpoint. 3) Use security plugins that enforce nonce validation or add custom nonce checks to the unlinkUser function via plugin hooks or custom code. 4) Monitor administrative actions and logs for unusual unlinking events to detect potential exploitation attempts. 5) Limit the number of administrators and enforce strong authentication to reduce the risk of compromised admin accounts. 6) Conduct regular security audits of WordPress plugins and configurations to identify and remediate similar vulnerabilities proactively. These targeted actions go beyond generic advice by focusing on nonce validation enforcement, administrative user behavior, and monitoring specific to this vulnerability.