CVE-2025-1671: 
WordPress vulnerability analysis and mitigation

The Academist Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.6. This vulnerability was discovered and disclosed on March 1, 2025 (NVD).

The vulnerability exists in the academistmembershipcheckfacebookuser() function which fails to properly verify user identity during authentication. This implementation flaw allows unauthenticated attackers to bypass authentication controls and log in as any user, including site administrators. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified as an Authentication Bypass Using an Alternate Path or Channel (CWE-288) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to gain unauthorized access to any user account on the affected WordPress site, including administrator accounts. This could lead to complete site compromise, as attackers can gain full administrative control of the WordPress installation (NVD).

The vulnerability was fixed in version 1.2 of the Academist Membership plugin, released on February 26, 2025. Site administrators are strongly advised to update to this version or later. If immediate updating is not possible, it is recommended to disable the plugin until it can be updated (Themeforest).