CVE-2025-13408

Vulnerability

Analysis The Foxtool All-in-One plugin for WordPress (versions up to and including 2.5.2) contains a Cross-Site Request Forgery (CSRF) vulnerability in the foxtool_login_google() function. This function, which handles Google OAuth login and user creation, lacks proper nonce validation. The vulnerable code is located in /inc/goo.php [1].

Attack

Vector An unauthenticated attacker can exploit this by crafting a malicious request to the foxtool_login_google() callback, which processes an authorization code from Google. Because no nonce is checked, the attacker can forge a request that, when triggered by a logged-in site administrator (e.g., via a link click), will establish a new OAuth connection with the attacker's own Google credentials. This allows the attacker to bypass normal authentication flows [1][2].

Impact

If successfully exploited, the attacker can create a new user account on the WordPress site, or modify an existing connection, effectively gaining access to the site. The function uses wp_insert_user() and allows setting a role (defaulting to 'subscriber'), but an administrator might be tricked into granting higher privileges inadvertently [1].

Mitigation

The vendor has released version 2.5.3 which addresses this vulnerability by adding proper nonce validation. Users are strongly advised to update the plugin to the latest version immediately. There is no known workaround for the vulnerable versions [2].