Karl.Fail

CVE-2025-1638: Authentication Bypass in Alloggio Membership Plugin via Social Login

Written by

Karl

in

on

(Last update:

)

Overview

CVE-2025-1638 is a critical vulnerability found in the Alloggio Membership plugin for WordPress, affecting all versions up to and including 1.1. The issue enables unauthenticated attackers to log in as any user, including site administrators, without knowing the password, due to flaws in the plugin’s social login handling.

Technical Details

The vulnerability is caused by insufficient identity validation within the alloggio_membership_init_rest_api_facebook_login and alloggio_membership_init_rest_api_google_login functions. These functions are responsible for handling Facebook and Google login requests via REST API endpoints. However, they fail to properly authenticate and verify user identity tokens before granting access.

As a result, attackers can craft fake social login requests and impersonate any existing user on the site, including those with administrator privileges. This flaw is categorized under CWE-288: Authentication Bypass Using an Alternate Path or Channel.

CVSS Score

This vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical):

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Impact: High across Confidentiality, Integrity, and Availability

Affected Versions

All versions of the Alloggio Membership plugin up to and including 1.1 are affected. The vulnerability impacts sites using this plugin with social login features enabled.

Mitigation

  • Update the Alloggio Membership plugin to a version that patches this issue, if available.
  • Temporarily disable social login features on affected sites.
  • Audit user access logs for signs of suspicious logins or account takeovers.

Conclusion

This vulnerability highlights the importance of robust identity validation in OAuth and social login implementations. Developers must ensure that authentication tokens are properly verified with the identity provider before granting access. Site administrators using the Alloggio Membership plugin should take immediate action to secure their sites.

Thanks to Tonn for discovering this issue. For further details, visit the official Wordfence advisory.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *


More posts