CRITICAL🇵🇱 Wersja polska

CVE-2025-13613

CVSS 9.8v3.1pub. 2025-12-10upd. 2026-04-15

The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. This is due to the plugin not properly logging in a user with the data that was previously verified through the 'eltdf_membership_check_facebook_user' and the 'eltdf_membership_login_user_from_social_network' function. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user's email.

🤖 AI Analysis
How it works

The plugin improperly handles the user login process after data verification through the 'eltdf_membership_check_facebook_user' and 'eltdf_membership_login_user_from_social_network' functions. Verified data is not properly linked to the login session, allowing an attacker to bypass the authentication mechanism. The attacker must have an existing account on the site (which can be easily created through the default temporary user functionality) and know the administrator account email address, after which they can log in to that account without knowing the password.

Impact

An attacker can gain full administrative access to the WordPress website, enabling takeover of the service, data theft, installation of malicious software, and modification or deletion of page content.

Mitigation & patch

Apply patches available from the vendor according to references. Additionally, it is recommended to disable the temporary user registration functionality if not required, and monitor access logs for suspicious login attempts.

Who is affected

Elated Membership plugin for WordPress in all versions up to and including 1.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References