WordPress Plugin Vulnerabilities

Wp Social Login and Register Social Counter < 3.1.4 - Missing Authorization in Cache REST Endpoints to Social Counter Tampering

Description

The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to missing authorization in versions up to, and including, 3.1.3. This is due to the REST routes wslu/v1/check_cache/{type}, wslu/v1/save_cache/{type}, and wslu/v1/settings/clear_counter_cache being registered with permission_callback set to __return_true and lacking capability or nonce validation in their handlers. This makes it possible for unauthenticated attackers to clear or overwrite the social counter cache via crafted REST requests.

Affects Plugins

Plugin icon
wp-social
Fixed in 3.1.4

References

CVE
CVE-2025-13620
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4fa205d7-61ce-4ab9-b532-fd0b46b0f6a0

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Verified
No
WPVDB ID
95854bb6-e178-4ccc-91f4-f7a89a17d3a1

Timeline

Publicly Published
2025-12-04 (about 6 months ago)
Added
2025-12-04 (about 6 months ago)
Last Updated
2026-02-04 (about 4 months ago)

Other

Published
Title
Published
2025-04-01
Title
GDPR Cookie Notice <= 1.2.0 - Missing Authorization
Published
2024-01-05
Title
RSS Aggregator by Feedzy < 4.3.3 - Missing Authorization
Published
2025-05-29
Title
Responsive Plus < 3.2.1 - Missing Authorization
Published
2026-02-09
Title
Benevolent < 1.4.0 - Missing Authorization
Published
2023-09-22
Title
Ad Inserter – Ad Manager & AdSense Ads < 2.7.31 - Unauthenticated Sensitive Information Exposure