Description
The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.0. This is due to missing or incorrect nonce validation on the counter_access_key_setup() function. This makes it possible for unauthenticated attackers to update social login provider settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-02-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration changes via CSRF to social login settings
Action: Patch
AI Analysis

Impact

The Wp Social Login and Register Social Counter WordPress plugin contains a CSRF vulnerability (CWE-352) that allows an unauthenticated attacker to change the social login provider configuration. The flaw stems from missing or incorrect nonce validation in the counter_access_key_setup function. By crafting a forged request and luring an administrator into clicking a link, the attacker can submit new settings, potentially taking control of social authentication flows and redirecting users to malicious endpoints.

Affected Systems

The vulnerability affects all releases of the Wp Social Login and Register Social Counter plugin up through version 3.1.0. WordPress sites that have installed this plugin, whether at default settings or with custom provider configurations, are at risk. Administrators and site owners of any WordPress deployment running these vulnerable plugin versions should be aware that an attacker can alter provider settings without authentication.

Risk and Exploitability

With a CVSS score of 4.3 the vulnerability is considered moderate. The EPSS score of less than 1% indicates a low probability of exploitation. The attack requires social engineering to get a site administrator to click a crafted link, thus the feasibility is limited but still present. The vulnerability is not listed in the CISA KEV catalog. The improper nonce handling makes the attack straightforward for a determined attacker who can target sites with the plugin.

Generated by OpenCVE AI on April 22, 2026 at 02:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to a version beyond 3.1.0 to fix the CWE-352 nonce validation flaw.
  • If an update is impossible, remove or disable the plugin to stop the CSRF vector associated with CWE-352.
  • Enforce strong authentication controls and limit administrator exposure to phishing attacks that could exploit the CWE-352 CSRF weakness.

Generated by OpenCVE AI on April 22, 2026 at 02:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5474 The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.0. This is due to missing or incorrect nonce validation on the counter_access_key_setup() function. This makes it possible for unauthenticated attackers to update social login provider settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Fri, 01 Aug 2025 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpmet
Wpmet wp Social Login And Register Social Counter
CPEs cpe:2.3:a:wpmet:wp_social_login_and_register_social_counter:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpmet
Wpmet wp Social Login And Register Social Counter

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 28 Feb 2025 05:30:00 +0000

Type Values Removed Values Added
Description The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.0. This is due to missing or incorrect nonce validation on the counter_access_key_setup() function. This makes it possible for unauthenticated attackers to update social login provider settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Wp Social Login and Register Social Counter <= 3.1.0 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wpmet Wp Social Login And Register Social Counter
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:01.611Z

Reserved: 2025-02-20T18:51:53.629Z

Link: CVE-2025-1506

cve-icon Vulnrichment

Updated: 2025-02-28T14:54:27.224Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-28T06:15:25.557

Modified: 2025-08-01T02:02:35.703

Link: CVE-2025-1506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:15:05Z

Weaknesses