Sensitive Information Exposure in External Login Plugin for WordPress
CVE-2025-11196

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: External Login
Vendor: CVE Published:; 15 October 2025

What is CVE-2025-11196?

The External Login plugin for WordPress exposes sensitive information due to insufficient security checks in its 'exlog_test_connection' AJAX action. Authenticated users with subscriber-level access or higher can exploit this vulnerability to access critical data, including truncated usernames, email addresses, and password hashes. This flaw affects all plugin versions up to and including 1.11.2, putting user data at risk. Proper implementation of capability checks and nonce validation is essential to prevent unauthorized data exposure.

Affected Version(s)

External Login * <= 1.11.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/external-login...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 15, 2025
Vulnerability Reserved
Sep 30, 2025

Credit

Jonas Benjamin Friedli

JSON