CVE-2025-1638
Published: 01 March 2025
Description
The Alloggio Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity through the alloggio_membership_init_rest_api_facebook_login and alloggio_membership_init_rest_api_google_login functions. This makes it possible for unauthenticated attackers to log in as any user, including administrators, without knowing a password.
Security Summary
CVE-2025-1638 is an authentication bypass vulnerability in the Alloggio Membership plugin for WordPress, affecting all versions up to and including 1.0.2. The flaw occurs because the plugin fails to properly validate user identity in the alloggio_membership_init_rest_api_facebook_login and alloggio_membership_init_rest_api_google_login functions, allowing attackers to impersonate legitimate users.
Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables logging in as any user account, including administrators, without a password, potentially granting full control over the WordPress site. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel).
Advisories provide further details on the vulnerability via the Wordfence threat intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/60405e54-e869-4623-892c-0821014f887b?source=cve and the plugin's ThemeForest listing at https://themeforest.net/item/alloggio-hotel-booking-theme/26775539. The CVE was published on 2025-03-01T08:15:34.167.
Details
- CWE(s)