CVE-2025-13620
📋 TL;DR
This vulnerability allows unauthenticated attackers to clear or overwrite the social counter cache in the Wp Social Login and Register Social Counter WordPress plugin. Attackers can exploit missing authorization in REST API endpoints to manipulate cache data via crafted requests. WordPress sites using vulnerable plugin versions up to 3.1.3 are affected.
💻 Affected Systems
- Wp Social Login and Register Social Counter WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could repeatedly clear social counter caches, causing denial of service by forcing constant cache regeneration, potentially impacting site performance and user experience.
Likely Case
Social counter displays become inaccurate or reset, affecting social proof metrics and potentially confusing users about engagement levels.
If Mitigated
With proper authorization controls, only authenticated administrators could manage cache, preventing unauthorized manipulation.
🎯 Exploit Status
Exploitation requires only sending crafted REST API requests to vulnerable endpoints without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.4
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3402340/wp-social/tags/3.1.4/inc/admin-rest-api.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Wp Social Login and Register Social Counter'. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.1.4 from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable REST endpoints via .htaccess
linuxBlock access to the vulnerable REST API routes at web server level
# Add to .htaccess file
RewriteEngine On
RewriteRule ^wp-json/wslu/v1/(check_cache|save_cache|settings/clear_counter_cache) - [F,L]
Disable plugin temporarily
allDeactivate the plugin until patched
wp plugin deactivate wp-social-login-and-register-social-counter
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to /wp-json/wslu/v1/ endpoints
- Monitor WordPress REST API logs for suspicious requests to wslu/v1 endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for 'Wp Social Login and Register Social Counter' version 3.1.3 or lowerCheck Version:
wp plugin list --name='wp-social-login-and-register-social-counter' --field=versionVerify Fix Applied:
Verify plugin version is 3.1.4 or higher in WordPress admin plugins page📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-json/wslu/v1/ endpoints from unauthenticated users
- Multiple cache clearing requests in short timeframes
Network Indicators:
- HTTP requests to /wp-json/wslu/v1/check_cache/, /wp-json/wslu/v1/save_cache/, or /wp-json/wslu/v1/settings/clear_counter_cache
SIEM Query:
source="wordpress" AND (uri_path="/wp-json/wslu/v1/check_cache/*" OR uri_path="/wp-json/wslu/v1/save_cache/*" OR uri_path="/wp-json/wslu/v1/settings/clear_counter_cache") AND user="-"