The Academist Membership plugin for WordPress, developed by Elated-Themes, suffers from a critical authentication bypass vulnerability identified as CVE-2025-1671. This vulnerability stems from the academist_membership_check_facebook_user() function, which fails to properly verify the identity of users before authenticating them. Specifically, the function does not adequately validate the authenticity of Facebook user credentials or session data, allowing an attacker to bypass normal authentication controls. As a result, an unauthenticated attacker can impersonate any user on the WordPress site, including administrators, thereby gaining full control over the site. The vulnerability affects all versions up to and including 1.1.6, with no exceptions noted. The CVSS 3.1 base score is 9.8, indicating a critical severity with network attack vector, no required privileges, no user interaction, and full impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability’s nature and ease of exploitation make it a significant threat. The lack of a patch at the time of reporting necessitates immediate risk mitigation. This vulnerability falls under CWE-288, which covers authentication bypass using alternate paths or channels, highlighting a fundamental flaw in the authentication logic of the plugin. Given WordPress’s widespread use and the plugin’s role in membership management, this flaw could be leveraged to compromise numerous websites, leading to data breaches, unauthorized content changes, or deployment of malicious code.

The impact of CVE-2025-1671 is severe and far-reaching. Successful exploitation grants attackers full administrative access to affected WordPress sites without any authentication, enabling them to steal sensitive data, modify or delete content, install backdoors or malware, and disrupt site availability. This can lead to reputational damage, loss of customer trust, regulatory penalties, and financial losses for organizations relying on these websites. Membership sites often store personal user information and payment data, increasing the risk of identity theft and fraud. The vulnerability’s network-based exploitability and lack of user interaction requirements mean attackers can automate attacks at scale, potentially compromising many sites rapidly. Additionally, compromised administrator accounts can be used as pivot points for further attacks within organizational networks. The absence of known exploits currently provides a narrow window for remediation before active exploitation begins. Organizations worldwide using this plugin are at risk, especially those with high-value data or critical online services.

Until an official patch is released, organizations should implement the following mitigations: 1) Immediately disable or deactivate the Academist Membership plugin to prevent exploitation. 2) Restrict access to the WordPress admin interface by IP whitelisting or VPN to limit exposure. 3) Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the academist_membership_check_facebook_user() function or related endpoints. 4) Monitor logs for unusual login attempts or access patterns indicative of exploitation attempts. 5) Enforce strong, unique passwords and enable multi-factor authentication (MFA) for all administrator accounts to reduce risk from compromised credentials. 6) Regularly back up website data and verify backup integrity to enable recovery from potential compromises. 7) Once a patch is available, apply it immediately and verify the plugin version is updated. 8) Consider alternative membership management plugins with a strong security track record if immediate patching is not feasible. 9) Educate site administrators about the vulnerability and signs of compromise. These steps go beyond generic advice by focusing on immediate risk reduction and detection tailored to this specific vulnerability.