The Nextend Social Login and Register plugin for WordPress is vulnerable to Cross‑Site Request Forgery (CWE‑352) because the unlinkUser function does not properly validate the nonce. This flaw allows an attacker, without prior authentication, to force an administrator into unlinking a user’s social login by tricking them into clicking a malicious link or loading a crafted page. As a result, the targeted account can lose its social authentication method, potentially locking the user out or exposing the account to credential takeover. The vulnerability does not allow code execution or direct data exfiltration, but it undermines account integrity and may facilitate targeted denial of service on user access.

The vulnerability affects the plugin Nextend Social Login and Register developed by Nextendweb. All plugin releases up to and including version 3.1.21 are impacted. No other vendor or product is listed.

The CVSS score of 4.3 indicates medium severity. The EPSS score of less than 1% reflects a very low probability of exploitation at the time of analysis, and the issue is not yet listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation requires no special privileges; the attacker only needs to craft and deliver a forged request that an administrator will unknowingly submit, typically via a malicious link or embedded resource. Because the flaw is a CSRF weakness, the likelihood of successful exploitation depends primarily on user education and the presence of additional CSRF defenses.