Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for Nextend Social Login and Register by nextendweb
CVE-2025-13737 (GCVE-0-2025-13737)
Vulnerability from nvd – Published: 2025-11-28 03:27 – Updated: 2026-04-08 17:11
VLAI?
Title
Nextend Social Login and Register <= 3.1.21 - Cross-Site Request Forgery to Unlink User Social Login
Summary
The Nextend Social Login and Register plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.21. This is due to missing or incorrect nonce validation on the 'unlinkUser' function. This makes it possible for unauthenticated attackers to unlink the user's social login via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextendweb | Nextend Social Login and Register |
Affected:
0 , ≤ 3.1.21
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13737",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-28T14:57:28.840803Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T14:57:36.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nextend Social Login and Register",
"vendor": "nextendweb",
"versions": [
{
"lessThanOrEqual": "3.1.21",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "M Indra Purnama"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Nextend Social Login and Register plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.21. This is due to missing or incorrect nonce validation on the \u0027unlinkUser\u0027 function. This makes it possible for unauthenticated attackers to unlink the user\u0027s social login via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:11:26.663Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9c6b747e-d267-4fd3-a4fd-022aa657c796?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nextend-facebook-connect/tags/3.1.21/includes/provider.php#L772"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3404174/nextend-facebook-connect/trunk/includes/provider.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-26T07:16:19.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-27T14:54:41.000Z",
"value": "Disclosed"
}
],
"title": "Nextend Social Login and Register \u003c= 3.1.21 - Cross-Site Request Forgery to Unlink User Social Login"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13737",
"datePublished": "2025-11-28T03:27:06.477Z",
"dateReserved": "2025-11-26T07:00:24.096Z",
"dateUpdated": "2026-04-08T17:11:26.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-1775 (GCVE-0-2024-1775)
Vulnerability from nvd – Published: 2024-03-02 07:35 – Updated: 2026-04-08 16:47
VLAI?
Title
Nextend Social Login and Register <= 3.1.12 - Reflected Self-Based Cross-Site Scripting via error_description
Summary
The Nextend Social Login and Register plugin for WordPress is vulnerable to a self-based Reflected Cross-Site Scripting via the ‘error_description’ parameter in all versions up to, and including, 3.1.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers, with access to a subscriber-level account, to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. NOTE: This vulnerability can be successfully exploited on a vulnerable WordPress instance against an OAuth pre-authenticated higher-level user (e.g., administrator) by leveraging a cross-site request forgery in conjunction with a certain social engineering technique to achieve a critical impact scenario (cross-site scripting to administrator-level account creation). However, successful exploitation requires "Debug mode" to be enabled in the plugin's "Global Settings".
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextendweb | Nextend Social Login and Register |
Affected:
0 , ≤ 3.1.12
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1775",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-02T22:33:05.587784Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T15:14:30.264Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:22.025Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3bad1d0d-3817-4c7f-a012-5a85b577781e?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3042326/nextend-facebook-connect"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nextend Social Login and Register",
"vendor": "nextendweb",
"versions": [
{
"lessThanOrEqual": "3.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tobias Wei\u00dfhaar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Nextend Social Login and Register plugin for WordPress is vulnerable to a self-based Reflected Cross-Site Scripting via the \u2018error_description\u2019 parameter in all versions up to, and including, 3.1.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers, with access to a subscriber-level account, to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. NOTE: This vulnerability can be successfully exploited on a vulnerable WordPress instance against an OAuth pre-authenticated higher-level user (e.g., administrator) by leveraging a cross-site request forgery in conjunction with a certain social engineering technique to achieve a critical impact scenario (cross-site scripting to administrator-level account creation). However, successful exploitation requires \"Debug mode\" to be enabled in the plugin\u0027s \"Global Settings\"."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:47:14.468Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3bad1d0d-3817-4c7f-a012-5a85b577781e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3042326/nextend-facebook-connect"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-22T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-03-01T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Nextend Social Login and Register \u003c= 3.1.12 - Reflected Self-Based Cross-Site Scripting via error_description"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1775",
"datePublished": "2024-03-02T07:35:48.322Z",
"dateReserved": "2024-02-22T18:32:03.150Z",
"dateUpdated": "2026-04-08T16:47:14.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13737 (GCVE-0-2025-13737)
Vulnerability from cvelistv5 – Published: 2025-11-28 03:27 – Updated: 2026-04-08 17:11
VLAI?
Title
Nextend Social Login and Register <= 3.1.21 - Cross-Site Request Forgery to Unlink User Social Login
Summary
The Nextend Social Login and Register plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.21. This is due to missing or incorrect nonce validation on the 'unlinkUser' function. This makes it possible for unauthenticated attackers to unlink the user's social login via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextendweb | Nextend Social Login and Register |
Affected:
0 , ≤ 3.1.21
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13737",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-28T14:57:28.840803Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T14:57:36.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nextend Social Login and Register",
"vendor": "nextendweb",
"versions": [
{
"lessThanOrEqual": "3.1.21",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "M Indra Purnama"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Nextend Social Login and Register plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.21. This is due to missing or incorrect nonce validation on the \u0027unlinkUser\u0027 function. This makes it possible for unauthenticated attackers to unlink the user\u0027s social login via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:11:26.663Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9c6b747e-d267-4fd3-a4fd-022aa657c796?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nextend-facebook-connect/tags/3.1.21/includes/provider.php#L772"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3404174/nextend-facebook-connect/trunk/includes/provider.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-26T07:16:19.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-27T14:54:41.000Z",
"value": "Disclosed"
}
],
"title": "Nextend Social Login and Register \u003c= 3.1.21 - Cross-Site Request Forgery to Unlink User Social Login"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13737",
"datePublished": "2025-11-28T03:27:06.477Z",
"dateReserved": "2025-11-26T07:00:24.096Z",
"dateUpdated": "2026-04-08T17:11:26.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-1775 (GCVE-0-2024-1775)
Vulnerability from cvelistv5 – Published: 2024-03-02 07:35 – Updated: 2026-04-08 16:47
VLAI?
Title
Nextend Social Login and Register <= 3.1.12 - Reflected Self-Based Cross-Site Scripting via error_description
Summary
The Nextend Social Login and Register plugin for WordPress is vulnerable to a self-based Reflected Cross-Site Scripting via the ‘error_description’ parameter in all versions up to, and including, 3.1.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers, with access to a subscriber-level account, to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. NOTE: This vulnerability can be successfully exploited on a vulnerable WordPress instance against an OAuth pre-authenticated higher-level user (e.g., administrator) by leveraging a cross-site request forgery in conjunction with a certain social engineering technique to achieve a critical impact scenario (cross-site scripting to administrator-level account creation). However, successful exploitation requires "Debug mode" to be enabled in the plugin's "Global Settings".
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextendweb | Nextend Social Login and Register |
Affected:
0 , ≤ 3.1.12
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1775",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-02T22:33:05.587784Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T15:14:30.264Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:22.025Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3bad1d0d-3817-4c7f-a012-5a85b577781e?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3042326/nextend-facebook-connect"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nextend Social Login and Register",
"vendor": "nextendweb",
"versions": [
{
"lessThanOrEqual": "3.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tobias Wei\u00dfhaar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Nextend Social Login and Register plugin for WordPress is vulnerable to a self-based Reflected Cross-Site Scripting via the \u2018error_description\u2019 parameter in all versions up to, and including, 3.1.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers, with access to a subscriber-level account, to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. NOTE: This vulnerability can be successfully exploited on a vulnerable WordPress instance against an OAuth pre-authenticated higher-level user (e.g., administrator) by leveraging a cross-site request forgery in conjunction with a certain social engineering technique to achieve a critical impact scenario (cross-site scripting to administrator-level account creation). However, successful exploitation requires \"Debug mode\" to be enabled in the plugin\u0027s \"Global Settings\"."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:47:14.468Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3bad1d0d-3817-4c7f-a012-5a85b577781e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3042326/nextend-facebook-connect"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-22T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-03-01T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Nextend Social Login and Register \u003c= 3.1.12 - Reflected Self-Based Cross-Site Scripting via error_description"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1775",
"datePublished": "2024-03-02T07:35:48.322Z",
"dateReserved": "2024-02-22T18:32:03.150Z",
"dateUpdated": "2026-04-08T16:47:14.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}