Cross-Site Request Forgery in Nextend Social Login and Register for WordPress
CVE-2025-13737

4.3MEDIUM

Key Information:

Vendor

WordPress
Status
Nextend Social Login And Register
Vendor
CVE Published:
28 November 2025

What is CVE-2025-13737?

The Nextend Social Login and Register plugin for WordPress is exposed to Cross-Site Request Forgery (CSRF) vulnerabilities due to inadequate nonce validation in the unlinkUser function. This flaw allows unauthenticated attackers to issue forged requests, potentially leading to the unanticipated unlinking of users' social logins by coercing an unsuspecting site administrator to engage with a malicious link or action.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Nextend Social Login and Register * <= 3.1.21

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/nextend-facebo...
https://plugins.trac.wordpress.org/changeset/3404174/next...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

M Indra Purnama
JSON
.