{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1638", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-24T16:46:22.040Z", "datePublished": "2025-03-01T07:24:04.067Z", "dateUpdated": "2026-04-08T16:56:33.805Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:33.805Z"}, "affected": [{"vendor": "Edge-Themes", "product": "Alloggio Membership", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Alloggio Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity through the alloggio_membership_init_rest_api_facebook_login and alloggio_membership_init_rest_api_google_login functions. This makes it possible for unauthenticated attackers to log in as any user, including administrators, without knowing a password."}], "title": "Alloggio Membership <= 1.1 - Authentication Bypass via Social Login Account Takeover", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60405e54-e869-4623-892c-0821014f887b?source=cve"}, {"url": "https://themeforest.net/item/alloggio-hotel-booking-theme/26775539"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "cweId": "CWE-288", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tonn"}], "timeline": [{"time": "2025-02-28T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-03T20:55:30.719861Z", "id": "CVE-2025-1638", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-03T20:56:57.878Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1638", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-03T20:55:30.719861Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-03T20:55:32.026Z"}}], "cna": {"title": "Alloggio Membership <= 1.1 - Authentication Bypass via Social Login Account Takeover", "credits": [{"lang": "en", "type": "finder", "value": "Tonn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "Edge-Themes", "product": "Alloggio Membership", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-28T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60405e54-e869-4623-892c-0821014f887b?source=cve"}, {"url": "https://themeforest.net/item/alloggio-hotel-booking-theme/26775539"}], "descriptions": [{"lang": "en", "value": "The Alloggio Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity through the alloggio_membership_init_rest_api_facebook_login and alloggio_membership_init_rest_api_google_login functions. This makes it possible for unauthenticated attackers to log in as any user, including administrators, without knowing a password."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-01T07:24:04.067Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1638", "state": "PUBLISHED", "dateUpdated": "2025-03-03T20:56:57.878Z", "dateReserved": "2025-02-24T16:46:22.040Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-01T07:24:04.067Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Alloggio Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity through the alloggio_membership_init_rest_api_facebook_login and alloggio_membership_init_rest_api_google_login functions. This makes it possible for unauthenticated attackers to log in as any user, including administrators, without knowing a password."}, {"lang": "es", "value": "El complemento Alloggio Membership para WordPress es vulnerable a la omisi\u00f3n de autenticaci\u00f3n en todas las versiones hasta la 1.0.2 incluida. Esto se debe a que el complemento no valida correctamente la identidad de un usuario a trav\u00e9s de las funciones alloggio_membership_init_rest_api_facebook_login y alloggio_membership_init_rest_api_google_login. Esto hace posible que atacantes no autenticados inicien sesi\u00f3n como cualquier usuario, incluidos los administradores, sin conocer una contrase\u00f1a."}], "id": "CVE-2025-1638", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-03-01T08:15:34.167", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/alloggio-hotel-booking-theme/26775539"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60405e54-e869-4623-892c-0821014f887b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T04:15:17.877581+00:00", "value": {"mitigation_remediation": ["Apply the latest Alloggio Membership plugin release if a fix has been issued.", "If an upgrade is not immediately possible, disable or remove the vulnerable Facebook and Google login API routes to block unauthenticated access.", "After disabling or patching, monitor the site\u2019s logs for unauthorized authentication attempts and enforce additional restrictions such as IP blocking or rate limiting on the social login endpoints."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass (Admin Access)"}, "threat_synthesis": {"affected_systems": "WordPress installations that have the Edge\u2011Themes Alloggio Membership plugin installed in any version up to and including 1.0.2 are vulnerable. The issue is confined to the plugin\u2019s social login functionality and does not affect core WordPress code or other plugins.", "description_and_impact": "The Alloggio Membership plugin for WordPress contains an authentication flaw that allows unauthenticated attackers to log in as any user, including administrators, by exploiting the Facebook and Google login endpoints. The flaw is caused by the plugin not properly validating the user identity in the alloggio_membership_init_rest_api_facebook_login and alloggio_membership_init_rest_api_google_login functions. This is an authentication bypass (CWE\u2011288).", "risk_and_exploitability": "The CVSS score of 9.8 categorizes the flaw as critical. The EPSS score of <1% indicates that exploit events are expected to be rare, but the high severity still warrants attention. Attackers could target the public Facebook or Google login API routes to authenticate as arbitrary users, bypassing all normal password requirements. The vulnerability is not listed in CISA\u2019s KEV catalog, so no publicly known exploit code is available yet, but the nature of the flaw enables full control over a site if exploited."}}}}, "created": "2026-04-22T04:30:05.310184+00:00", "updated": "2026-04-22T04:30:05.310196+00:00", "vendors": []}