CVE-2025-13620

The vulnerability resides in the WordPress plugin "Wp Social Login and Register Social Counter" (wp-social) versions up to and including 3.1.3. The REST routes wslu/v1/check_cache/{type}, wslu/v1/save_cache/{type}, and wslu/v1/settings/clear_counter_cache are registered with permission_callback set to __return_true, and their handlers lack any capability or nonce validation. This missing authorization allows unauthenticated attackers to perform state-changing operations on the plugin's social counter cache [1].

An attacker can exploit these endpoints by sending crafted REST requests without any authentication. The save_cache endpoint can overwrite cached social counter values (notably Instagram), while clear_counter_cache can delete the entire cache. No special network position or user interaction is required; the attack is performed remotely over HTTP [1].

The impact is that an unauthenticated attacker can manipulate the social counter widget displayed on the WordPress site. By overwriting or clearing the cache, the attacker can display incorrect follower counts or disrupt the counter feature entirely. This can mislead site visitors and damage the site's credibility, though it does not directly compromise user data or site integrity [1].

As of the publication date, no patched version has been released. Users of the plugin are advised to restrict access to the affected REST endpoints via server-level rules or a Web Application Firewall (WAF) until a fix is provided. The plugin has over 70,000 active installations, making this a significant supply-chain risk [1].