CVE-2025-1564
Published: 01 March 2025
Description
The SetSail Membership plugin for WordPress is vulnerable to in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a users identity through the social login. This makes it possible for unauthenticated attackers to log in as any user, including administrators and take over access to their account.
Security Summary
CVE-2025-1564 is an authentication bypass vulnerability in the SetSail Membership plugin for WordPress, affecting all versions up to and including 1.0.3. The flaw arises because the plugin does not properly verify a user's identity through social login, allowing unauthorized access. It has a CVSS v3.1 base score of 9.8 (Critical), with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and is associated with CWE-288. The vulnerability was published on 2025-03-01T08:15:34.007.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation enables attackers to log in as any user on the site, including administrators, effectively taking over their accounts and gaining full control over the WordPress installation.
Mitigation details are available in related advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/c2c2385e-0d1e-435a-9b82-972964084148?source=cve and the SetSail theme page on ThemeForest at https://themeforest.net/item/setsail-travel-agency-theme/22832625.
Details
- CWE(s)