WordPress Plugin Vulnerability Let Attackers Bypass Authentication via Social Login

A critical vulnerability in the Case Theme User plugin for WordPress allows unauthenticated attackers to hijack any account on vulnerable sites, including administrative accounts, by exploiting the social login feature. Site owners are urged to update immediately.

On May 31, 2025, Wordfence Intelligence received a report of an Authentication Bypass via Social Login vulnerability in Case Theme User, a plugin installed on approximately 12,000 WordPress sites and bundled within multiple premium themes sold through ThemeForest.

The vulnerability, tracked as CVE-2025-5821 and assigned a CVSS score of 9.8 (Critical), affects all plugin versions up to and including 1.0.3.

If exploited, it enables an attacker to log in as any registered user—administrators included—solely by supplying a known email address.

How the Vulnerability Works

The issue stems from the plugin’s facebook_ajax_login_callback() function in the Case_Theme_User_Ajax class, which handles Facebook based social login.

By design, the function verifies user data supplied via AJAX, but due to flawed logic, it then authenticates the user based on the supplied email alone if a matching username already exists.

An attacker can first register a temporary account using their own email through the plugin’s default registration process.

Subsequently, by submitting the victim’s email address in the AJAX request, the attacker triggers wp_set_auth_cookie() for the account tied to that email—even if they never proved ownership of the victim’s Facebook credentials.

This grants immediate access to the victim’s account.

The complete exploit chain is straightforward:

1. Attacker registers a temporary user via social login with their own email.
2. Attacker issues an AJAX request to admin-ajax.php with the action facebook_ajax_login, the plugin nonce, a fabricated Facebook username, and the victim’s email.
3. The plugin bypasses proper authentication and sets a valid WordPress authentication cookie for the victim’s account.

Example exploit attempts show attackers cycling through common address permutations—such as [email protected], [email protected], or [email protected]—to discover valid administrative emails and gain control.

Mitigations

Wordfence patched the plugin on August 13, 2025, releasing version 1.0.4. The vulnerability was publicly disclosed on August 22, and exploitation attempts were observed as early as August 23, when the Wordfence Firewall began blocking malicious AJAX calls.

To protect users, firewall rules against this attack were distributed to Wordfence Premium, Care, and Response customers on June 10, following standard vulnerability handling procedures. Free users received the same protection after a 30-day delay on July 10.

Since public disclosure, the Wordfence Firewall has blocked over 20,900 exploit attempts targeting this vulnerability.

Attack traffic peaked on August 26, August 30, and September 2, demonstrating active threat actor interest. Analysis of blocking data reveals the top offending IP addresses include:

• 2602:ffc8:2:105:216:3cff:fe96:129f (over 6,300 blocked requests).
• 146.70.186.142 (over 5,700 blocked requests).
• 107.175.179.8 (over 5,000 blocked requests).
• 2602:ffc8:2:105:216:3cff:fe40:4b78 (over 2,400 blocked requests).
• 89.117.42.68 (over 500 blocked requests).

All site administrators using Case Theme User must upgrade to version 1.0.4 without delay. Failure to apply this update leaves sites vulnerable to full account takeover, privilege escalation, and complete site compromise.

In addition to updating, site owners should verify that their Wordfence Firewall rules are active and review blocked event logs for any signs of attempted exploitation.

By promptly installing the patched plugin and maintaining robust firewall protections, WordPress site operators can thwart attackers seeking to bypass authentication via social login and safeguard both regular and administrative user accounts. Continuous vigilance and timely updates remain the cornerstone of WordPress security.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.