Description
The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to missing authorization in versions up to, and including, 3.1.3. This is due to the REST routes wslu/v1/check_cache/{type}, wslu/v1/save_cache/{type}, and wslu/v1/settings/clear_counter_cache being registered with permission_callback set to __return_true and lacking capability or nonce validation in their handlers. This makes it possible for unauthenticated attackers to clear or overwrite the social counter cache via crafted REST requests.
Published: 2025-12-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Social counter tampering via unauthenticated REST endpoints
Action: Upgrade
AI Analysis

Impact

The Wp Social Login and Register Social Counter plugin allows unauthenticated users to clear or overwrite the social counter cache because several REST routes are registered with an always‑true permission callback. This flaw means an attacker can manipulate the displayed social engagement metrics on a WordPress site without storing or executing malicious code. The impact is primarily a loss of integrity and potential reputational damage due to falsified social counts.

Affected Systems

This issue affects the Wp Social Login and Register Social Counter plugin provided by roxnor, for all versions up to and including 3.1.3.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, and the EPSS score of less than 1% suggests that widespread exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by sending crafted REST requests to the affected endpoints (wslu/v1/check_cache/{type}, wslu/v1/save_cache/{type}, wslu/v1/settings/clear_counter_cache) without any authentication or nonce verification. Because the flaw is purely an authorization bypass, privileged access is not required but any entity with network visibility to the REST API can tamper with the counter.

Generated by OpenCVE AI on April 21, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wp Social Login and Register Social Counter to version 3.1.4 or later, which removes the unauthenticated access to the relevant REST routes.
  • If an immediate upgrade is not possible, block unauthenticated access to the affected REST endpoints by configuring your web server (e.g., .htaccess, nginx rules) or by using a security plugin to restrict these routes to authenticated users only.
  • Enable monitoring of REST API traffic to detect unauthorized cache manipulation attempts, and review logs regularly for suspicious activity.

Generated by OpenCVE AI on April 21, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Fri, 05 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Roxnor
Roxnor wp Social Login And Register Social Counter
Wordpress
Wordpress wordpress
Vendors & Products Roxnor
Roxnor wp Social Login And Register Social Counter
Wordpress
Wordpress wordpress

Fri, 05 Dec 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 11:15:00 +0000

Type Values Removed Values Added
Description The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to missing authorization in versions up to, and including, 3.1.3. This is due to the REST routes wslu/v1/check_cache/{type}, wslu/v1/save_cache/{type}, and wslu/v1/settings/clear_counter_cache being registered with permission_callback set to __return_true and lacking capability or nonce validation in their handlers. This makes it possible for unauthenticated attackers to clear or overwrite the social counter cache via crafted REST requests.
Title Wp Social Login and Register Social Counter <= 3.1.3 - Missing Authorization in Cache REST Endpoints to Social Counter Tampering
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Roxnor Wp Social Login And Register Social Counter
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:07.449Z

Reserved: 2025-11-24T20:43:17.834Z

Link: CVE-2025-13620

cve-icon Vulnrichment

Updated: 2025-12-05T12:21:54.929Z

cve-icon NVD

Status : Deferred

Published: 2025-12-05T11:15:51.530

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13620

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:45:16Z

Weaknesses