CVE-2025-1671
Published: 01 March 2025
Description
The Academist Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.6. This is due to the academist_membership_check_facebook_user() function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to log in as any user, including site administrators.
Security Summary
CVE-2025-1671 is a privilege escalation vulnerability in the Academist Membership plugin for WordPress, affecting all versions up to and including 1.1.6. The flaw arises in the academist_membership_check_facebook_user() function, which does not properly verify a user's identity before authenticating them. Published on 2025-03-01, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-288.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. Exploitation enables attackers to log in as any user, including site administrators, granting high levels of confidentiality, integrity, and availability impact.
Advisories provide further details, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/911a9550-1f62-4f28-9d8c-00d9769949c9?source=cve and the plugin listing on ThemeForest at https://themeforest.net/item/academist-a-modern-learning-management-system-and-education-theme/22376830.
Details
- CWE(s)