CVE-2025-13620 affects the WordPress plugin “Wp Social Login and Register Social Counter” (plugin: wp-social) and is a Missing Authorization / Improper Authorization issue in multiple REST API routes that are exposed without authentication. The vulnerability is caused by REST routes being registered with permission_callback set to __return_true, combined with handlers that perform state-changing cache operations without any capability check or nonce validation. As a result, an unauthenticated attacker can clear and overwrite the plugin’s cached social counter values (notably Instagram), which directly influences the front-end widget output and can be abused to display incorrect follower counts or otherwise disrupt the counter feature.
| CVE | CVE-2025-13620 |
| Plugin Version | Wp Social Login and Register Social Counter <= 3.1.3 |
| Critical | High |
| All Time | 805 123 |
| Active installations | 70 000+ |
| Publicly Published | December 4, 2025 |
| Last Updated | December 4, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13620 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-social/wp-social-login-and-register-social-counter-313-missing-authorization-in-cache-rest-endpoints-to-social-counter-tampering |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| November 14, 2025 | Plugin testing and vulnerability detection in the Wp Social Login and Register Social Counter have been completed |
| November 14, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 4, 2025 | Registered CVE-2025-13620 |
Discovery of the Vulnerability
Public advisories describe the issue as affecting plugin versions up to and including 3.1.3. The WordPress.org plugin page indicates the plugin has 70,000+ active installations, which makes cache-tampering issues materially relevant in the real world because these widgets are often deployed on high-visibility pages where trust and social proof matter. The plugin’s changelog also suggests a remediation timeline: version 3.1.4 includes a fix described as “Missing authorization in Cache REST endpoints allowing Social Counter data changes,” which strongly aligns with CVE-2025-13620’s described root cause.
Understanding of Missing Auth attack’s
The vulnerable routes include endpoints such as /wp-json/wslu/v1/check_cache/{type}, /wp-json/wslu/v1/save_cache/{type}, and /wp-json/wslu/v1/settings/clear_counter_cache. Advisories note that these routes were registered with permission_callback returning true (effectively public), and their handlers accept attacker-controlled parameters used to clear or overwrite cached counter data. This becomes security-relevant because the REST API permission callback is the primary gate that should prevent unauthenticated state changes; WordPress explicitly documents __return_true as suitable only when an endpoint is intentionally public, and it does not itself provide authorization. When used on a write-like endpoint that mutates cached values, it creates an obvious integrity vulnerability.
Exploiting the Missing Auth Vulnerability
To exploit CVE-2025-13620, an attacker without cookies:
POC:
curl -X POST 'https://www.test.com/index.php/wp-json/wslu/v1/settings/clear_counter_cache' \ -H 'Content-Type: application/x-www-form-urlencoded' \ --data 'provider=instagram&username= curl -X POST 'https://www.postapocalypticmedia.com/index.php/wp-json/wslu/v1/save_cache/instagram' \ -H 'Content-Type: application/json' \ -d '{"content":{"count":19777000}}'____
The practical impact is tampering with the social proof layer of a site. By clearing the cached value and then writing a new value for a provider such as Instagram, an attacker can force the front-end widget to display an arbitrary follower count, which can mislead users and undermine trust, particularly for brands and publishers who rely on counters for credibility. Depending on how the widget/template expects cached structures, malformed cache payloads can also trigger broken rendering (for example, displaying an unexpected serialized structure rather than a numeric count), which becomes an availability and reputation issue because the widget may appear corrupted or unreliable. The NVD and vendor-style writeups summarize this concisely as the ability for unauthenticated attackers to “clear or overwrite the social counter cache via crafted REST requests.”
Recommendations for Improved Security
The correct fix is to treat these routes as privileged, because they mutate state that affects front-end output. At minimum, the plugin should replace permission_callback => __return_true with a callback that enforces authentication and a meaningful capability (for example, an admin-level capability such as manage_options, or a plugin-specific capability that is not granted to public users), and should validate request intent using nonces where applicable for WordPress-admin initiated actions. This aligns with the general WordPress REST guidance that permission callbacks must reflect the access model of the route. For site owners, the immediate defensive action is to update to a version that includes the authorization fix (the WordPress.org changelog indicates the authorization issue was addressed in 3.1.4), and to consider temporarily disabling the plugin or blocking the vulnerable REST routes at the edge (WAF/CDN) if upgrading is not immediately feasible.
By taking proactive measures to address Missing Auth vulnerabilities like CVE-2025-13620 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuth #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.