A critical authentication bypass vulnerability exists in the FindAll Membership plugin for WordPress, rated 9.8 on the CVSS scale. This flaw allows an unauthenticated attacker who knows an administrator's email address to gain full administrative control over the website. Successful exploitation could lead to complete site compromise, data theft, and significant reputational damage.

The vulnerability exists within the social login functions for Facebook ('findall_membership_check_facebook_user') and Google ('findall_membership_check_google_user'). After a user's identity is successfully verified by the social media provider, the plugin fails to correctly log the user into the associated account. An attacker can exploit this by creating a temporary user account, initiating a social login, and then manipulating the flawed process to log in as a different, existing user (e.g., an administrator) by simply providing that user's email address. This bypasses all standard password and authentication checks, granting the attacker the privileges of the impersonated account.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation grants an attacker complete administrative control over the affected WordPress site. The potential consequences include theft of sensitive user data, financial information, and intellectual property; website defacement; distribution of malware to site visitors; and using the compromised server to launch further attacks. Such an incident can result in severe financial loss, regulatory fines, loss of customer trust, and lasting damage to the organization's reputation.

Immediate Action: Immediately update the FindAll Membership plugin for WordPress to the latest version available from the vendor (a version later than 1.0.4). After patching, review all administrative accounts for signs of compromise, such as unexpected password changes or suspicious activity.

Proactive Monitoring: Review web server and WordPress access logs for unusual login patterns, such as a new temporary user registration immediately followed by a successful administrative login from the same IP address. Monitor for unauthorized changes to website files, themes, or plugins, and look for the creation of any unexpected administrative accounts.

Compensating Controls: If patching is not immediately possible, consider the following mitigating actions:

• Disable the Facebook and Google social login features within the FindAll Membership plugin's settings.
• Temporarily disable all new user registrations on the website.
• Implement a Web Application Firewall (WAF) with rules designed to detect and block anomalous login behavior.
• Enforce Multi-Factor Authentication (MFA) for all administrative accounts, as this may add a layer of protection against a successful session hijack.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the ease of exploitation, this vulnerability poses an immediate and severe threat to any organization using the affected plugin. We strongly recommend that administrators prioritize applying the security update immediately. Although this CVE is not currently on the CISA KEV list, its critical nature warrants an emergency-level response to prevent a full system compromise.