Case Theme User WordPress plugin flaw enables authentication bypass
Take action: If you're using the Case Theme User WordPress plugin, THIS IS URGENT. Your site is under attack. Immediately update to version 1.0.4 or later. Also check your audit logs for suspicious user account creation and unusual admin activity around that time.
Learn More
A critical authentication bypass vulnerability in the Case Theme User WordPress plugin allows attackers to hijack user accounts including administrator privileges by simply knowing or guessing victim email addresses. The flaw has been under active attack since August 2025.
The flaw is tracked as CVE-2025-5821 (CVSS score 9.8) - Authentication Bypass Using Alternate Path. This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address. It's caused by flawed authentication logic in the plugin's Facebook social login implementation.
The plugin's facebook_ajax_login_callback() function mishandles authentication logic for Facebook-based social login which creates predictable temporary users and then authenticates users based solely on email addresses without proper ownership verification.
Affected versions include all Case Theme User plugin versions up to and including 1.0.3.
Active exploitation began almost immediately after the vulnerability's public disclosure on August 22, 2025, with threat actors launching attacks the following day
Organizations must immediately update to Case Theme User version 1.0.4 or later. Site owners should also review audit logs for suspicious user account creation around August 22, 2025, and monitor for unusual administrative activity.
