{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11196", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-30T17:49:32.203Z", "datePublished": "2025-10-15T08:26:02.148Z", "dateUpdated": "2026-04-08T17:18:59.919Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:59.919Z"}, "affected": [{"vendor": "tbenyon", "product": "External Login", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.11.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The External Login plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.11.2 due to the 'exlog_test_connection' AJAX action lacking capability checks or nonce validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to query the configured external database and retrieve truncated usernames, email addresses, and password hashes via the diagnostic test results view."}], "title": "External Login <= 1.11.2 - Authenticated (Subscriber+) Sensitive Data Exposure via Test Connection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdb40f51-dac2-40e7-beb1-154d982f7af3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/external-login/trunk/options/testing_ajax.php#L3"}, {"url": "https://plugins.trac.wordpress.org/browser/external-login/trunk/login/db.php#L215"}, {"url": "https://plugins.trac.wordpress.org/browser/external-login/trunk/views/test_results.php#L21"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-14T19:58:25.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-15T14:13:21.840067Z", "id": "CVE-2025-11196", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T14:16:16.320Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11196", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-15T14:13:21.840067Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T14:16:11.592Z"}}], "cna": {"title": "External Login <= 1.11.2 - Authenticated (Subscriber+) Sensitive Data Exposure via Test Connection", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "tbenyon", "product": "External Login", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.11.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-14T19:58:25.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdb40f51-dac2-40e7-beb1-154d982f7af3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/external-login/trunk/options/testing_ajax.php#L3"}, {"url": "https://plugins.trac.wordpress.org/browser/external-login/trunk/login/db.php#L215"}, {"url": "https://plugins.trac.wordpress.org/browser/external-login/trunk/views/test_results.php#L21"}], "descriptions": [{"lang": "en", "value": "The External Login plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.11.2 due to the 'exlog_test_connection' AJAX action lacking capability checks or nonce validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to query the configured external database and retrieve truncated usernames, email addresses, and password hashes via the diagnostic test results view."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-15T08:26:02.148Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11196", "state": "PUBLISHED", "dateUpdated": "2025-10-15T14:16:16.320Z", "dateReserved": "2025-09-30T17:49:32.203Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-15T08:26:02.148Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The External Login plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.11.2 due to the 'exlog_test_connection' AJAX action lacking capability checks or nonce validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to query the configured external database and retrieve truncated usernames, email addresses, and password hashes via the diagnostic test results view."}], "id": "CVE-2025-11196", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-15T09:15:42.320", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/external-login/trunk/login/db.php#L215"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/external-login/trunk/options/testing_ajax.php#L3"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/external-login/trunk/views/test_results.php#L21"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdb40f51-dac2-40e7-beb1-154d982f7af3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:51:49.882831+00:00", "value": {"mitigation_remediation": ["Update the External Login plugin to the latest version that does not expose the 'exlog_test_connection' AJAX action.", "If an update is not immediately available, disable the test connection feature or remove the AJAX handler by editing the plugin code to enforce proper capability checks and nonce validation, thereby mitigating CWE-200.", "Restrict subscriber role capabilities or use role\u2011based access controls to limit unused privileges until the plugin is updated."], "summary": {"action": "Update", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the External Login plugin installed in versions 1.11.2 or earlier are impacted. The issue is documented for all releases up to and including 1.11.2; newer releases have removed the insecure AJAX action or added appropriate checks. Site owners should verify the plugin version and update to the latest available release.", "description_and_impact": "The vulnerability resides in the External Login WordPress plugin, allowing an attacker who is authenticated with subscriber-level or higher privileges to misuse an AJAX endpoint that lacks proper capability checks or nonce validation. Exploiting the 'exlog_test_connection' action grants access to diagnostic test results, from which truncated usernames, email addresses, and password hashes of the configured external database can be retrieved. This constitutes a moderate confidentiality compromise, exposing user credentials and personal information to an attacker who can already log into the site.", "risk_and_exploitability": "The CVSS score of 4.3 places this vulnerability in the medium severity range. The EPSS score of less than 1% indicates that the probability of exploitation is low according to current data, and the vulnerability is not listed in the CISA KEV catalog. An attacker still requires authenticated access, but subscribers can gain the necessary privileges. Once accessed, the exposed data can be used for credential stuffing, phishing, or account takeover. The attack path relies on an authenticated AJAX call to the 'exlog_test_connection' action, which lacks capability checks or nonce validation, allowing a subscriber to retrieve diagnostic test results that include truncated usernames, email addresses, and password hashes. This can be performed from any network that can reach the site\u2019s public interface."}}}}, "created": "2025-10-20T13:27:04.031865+00:00", "updated": "2026-04-21T19:00:36.136104+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}