CVE-2025-5821: Critical Authentication Bypass in WordPress Case Theme User Plugin Exploited in the Wild

Hackers are exploiting a critical authentication bypass vulnerability in the Case Theme User plugin, a WordPress plugin with an estimated 12,000 active installations. This plugin is bundled in multiple premium themes, amplifying its reach across WordPress websites.

Tracked as CVE-2025-5821 (CVSS 9.8), the flaw affects all versions up to and including 1.0.3 of the plugin. The root cause lies in the plugin’s facebook_ajax_login_callback() function, which mishandles authentication logic for Facebook-based social login.

Wordfence explains, “This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address.”

As Wordfence details, “This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user’s email.”

A patched version (1.0.4) was released on August 13, 2025, but exploitation began just one day after public disclosure on August 22.

Wordfence has confirmed that attackers are actively targeting this vulnerability at scale: “The Wordfence Firewall has already blocked over 20,900 exploit attempts targeting this vulnerability.”

The attack pattern is simple but dangerous. Threat actors first register a temporary user, then attempt to log in as an administrator by trying common email addresses like owner@, office@, or sales@victim-domain.com.

Top offending IP addresses include:

• 2602:ffc8:2:105:216:3cff:fe96:129f (6,300+ blocked requests)
• 146.70.186.142 (5,700+ blocked requests)
• 107.175.179.8 (5,000+ blocked requests)

Wordfence observed attack spikes on August 23, 26, 30, and September 2, underscoring the urgency of patching.

Attackers typically:

• Create a temporary user.
• Exploit the authentication bypass to log in as an administrator.
• Delete the temporary user to erase evidence.

Wordfence recommends reviewing log files for suspicious AJAX requests originating from the identified malicious IPs. However, they caution that “the absence of any such log entries does not guarantee that your website has not been compromised.”

To protect WordPress sites:

• Update immediately to Case Theme User 1.0.4 or later.
• Audit administrator accounts for unauthorized logins.
• Review logs for abnormal AJAX requests tied to the vulnerability.

Wordfence strongly advises urgent patching: “We urge users to ensure their sites are updated with the latest patched version of Case Theme User, version 1.0.4 at the time of this writing, as soon as possible, as this vulnerability is under active exploitation.”

Related Posts:

• WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
• New WordPress Malware Masquerades as Legit Plugin with Data Exfiltration and RCE Capabilities
• Breaking News: Widespread WordPress Plugin Compromise in Active Supply Chain Attack
• WordPress Issues Urgent Security Update to Patch Multiple Vulnerabilities