CVE-2025-13613

Description

The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. This is due to the plugin not properly logging in a user with the data that was previously verified through the 'eltdf_membership_check_facebook_user' and the 'eltdf_membership_login_user_from_social_network' function. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user's email.

CVSS v3.1 Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness Type (CWE)

CWE-289 CWE-289

References

Other References

https://themeforest.net/item/esmarts-a-modern-education-and-lms-theme/20987760 https://www.wordfence.com/threat-intel/vulnerabilities/id/f15dbce4-2e94-4735-b62b-e32d923c51ce?source=cve

Frequently Asked Questions

What is CVE-2025-13613? +

The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. This is due to the plugin not properly logging in a user with the data that was previously verified through the 'eltdf_membership_check_facebook_user' and the 'eltdf_membership_login_user_from_social_network' function. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user's email. It has a CVSS v3.1 base score of 9.8 (CRITICAL).

How severe is CVE-2025-13613? +

CVE-2025-13613 has a CVSS v3.1 score of 9.8 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately.

How do I check if I'm vulnerable to CVE-2025-13613? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-56511 9.8

DataEase is an open source data visualization analysis tool. Prior to 2.10.4, there is a flaw in the authentication in …

CVE-2025-29266 9.6

Unraid 7.0.0 before 7.0.1 allows remote users to access the Unraid WebGUI and web console as root without authentication if …

CVE-2024-55634 8.1

A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, …

CVE-2025-64343 7.8

(conda) Constructor is a tool that enables users to create installers for conda package collections. In versions 3.12.2 and below, …

CVE-2025-41248 7.5

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super …

CVE-2024-2098 7.5

The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on …