Description
The Case Theme User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly logging in a user with the data that was previously verified through the facebook_ajax_login_callback() function. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user's email.
Published: 2025-08-23
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

The vulnerable plugin fails to properly complete user authentication after the facebook_ajax_login_callback function verifies Facebook credentials, revealing a CWE‑288 Authentication Bypass flaw. As a result, unauthenticated users can obtain administrative access provided they can create a temporary user account and possess the target admin's email address. This flaw allows an attacker to compromise the confidentiality, integrity, and availability of the entire WordPress site, effectively bypassing the authentication system.

Affected Systems

Case Theme User plugin for WordPress, distributed by Case-Themes, all released versions up to and including 1.0.3 are affected. Administrators enabling social login via Facebook with temporary user registration are at risk.

Risk and Exploitability

The CVSS score of 9.8 classifies the issue as critical, and the low EPSS score (<1%) indicates a currently low exploitation probability, yet the vulnerability remains high risk because it permits a complete break of security controls through a CWE‑288 Authentication Bypass. Attackers are likely to trigger the flaw by first creating a temporary user account and then accessing the facebook_ajax_login_callback endpoint with the email address of an administrative user.

Generated by OpenCVE AI on April 22, 2026 at 00:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Case Theme User plugin to a patched version (e.g., 1.0.4 or later) that resolves the authentication bypass (CWE‑288) when it becomes available.
  • If an update is not available, disable temporary user registration and block social login until a patch is applied to eliminate the CWE‑288 flaw.
  • Implement a web application firewall rule that limits or blocks repeated requests to the facebook_ajax_login_callback endpoint to mitigate potential abuse of the authentication bypass.
  • Monitor the WordPress user database for unexpected administrative logins and ensure only legitimate accounts are accessed via social login.

Generated by OpenCVE AI on April 22, 2026 at 00:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25634 The Case Theme User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly logging a user in with the data that was previously verified through the facebook_ajax_login_callback(). This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site, and access to the administrative user's email.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Case Theme User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly logging a user in with the data that was previously verified through the facebook_ajax_login_callback(). This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site, and access to the administrative user's email. The Case Theme User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly logging in a user with the data that was previously verified through the facebook_ajax_login_callback() function. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user's email.

Mon, 25 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 24 Aug 2025 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Case-themes
Case-themes case Theme User
Wordpress
Wordpress wordpress
Vendors & Products Case-themes
Case-themes case Theme User
Wordpress
Wordpress wordpress

Sat, 23 Aug 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Case Theme User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly logging a user in with the data that was previously verified through the facebook_ajax_login_callback(). This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site, and access to the administrative user's email.
Title Case Theme User <= 1.0.3 - Authentication Bypass via Social Login
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Case-themes Case Theme User
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:36.348Z

Reserved: 2025-06-06T19:12:24.245Z

Link: CVE-2025-5821

cve-icon Vulnrichment

Updated: 2025-08-25T18:17:17.864Z

cve-icon NVD

Status : Deferred

Published: 2025-08-23T07:15:32.507

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5821

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:00:04Z

Weaknesses