Cyber Resilience

CVE-2025-1638

Critical

Published: 01 March 2025

Published
01 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 10.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1638 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

CVE-2025-1638 is an authentication bypass vulnerability in the Alloggio Membership plugin for WordPress, affecting all versions up to and including 1.0.2. The flaw occurs because the plugin fails to properly validate user identity in the alloggio_membership_init_rest_api_facebook_login and alloggio_membership_init_rest_api_google_login functions, allowing attackers to impersonate legitimate users.

Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables logging in as any user account, including administrators, without a password, potentially granting full control over the WordPress site. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel).

Advisories provide further details on the vulnerability via the Wordfence threat intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/60405e54-e869-4623-892c-0821014f887b?source=cve and the plugin's ThemeForest listing at https://themeforest.net/item/alloggio-hotel-booking-theme/26775539. The CVE was published on 2025-03-01T08:15:34.167.

EU & UK References

Vulnerability details

The Alloggio Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity through the alloggio_membership_init_rest_api_facebook_login and alloggio_membership_init_rest_api_google_login functions. This makes it…

more

possible for unauthenticated attackers to log in as any user, including administrators, without knowing a password.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078.003 Local Accounts Stealth
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Authentication bypass in public-facing WordPress plugin enables direct network exploitation (T1190) to impersonate and access any local user account including admins (T1078.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-11286Shared CWE-288
CVE-2025-11522Shared CWE-288
CVE-2025-10294Shared CWE-288
CVE-2026-3461Shared CWE-288
CVE-2025-67070Shared CWE-288
CVE-2026-42760Shared CWE-288
CVE-2026-44575Shared CWE-288
CVE-2026-1779Shared CWE-288
CVE-2025-0316Shared CWE-288
CVE-2026-45109Shared CWE-288

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires authentication of non-organizational users before access, directly mitigating the plugin's failure to validate identities in Facebook and Google login REST API functions.

prevent

Enforces approved access authorizations, preventing unauthenticated attackers from bypassing authentication to impersonate any user including administrators.

prevent

Directs timely remediation of identified flaws, such as patching the Alloggio Membership plugin to fix the authentication bypass vulnerability.

References