Headline
Critical Security Flaw in Social Login Plugin for WordPress Exposes Users' Accounts
A critical security flaw has been disclosed in miniOrange’s Social Login and Register plugin for WordPress that could enable a malicious actor to log in as any user-provided information about email address is already known. Tracked as CVE-2023-2982 (CVSS score: 9.8), the authentication bypass flaw impacts all versions of the plugin, including and prior to 7.6.4. It was addressed on June 14, 2023
Website Security / Vulnerability
A critical security flaw has been disclosed in miniOrange’s Social Login and Register plugin for WordPress that could enable a malicious actor to log in as any user-provided information about email address is already known.
Tracked as CVE-2023-2982 (CVSS score: 9.8), the authentication bypass flaw impacts all versions of the plugin, including and prior to 7.6.4. It was addressed on June 14, 2023, with the release of version 7.6.5 following responsible disclosure on June 2, 2023.
“The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address,” Wordfence researcher István Márton said.
The issue is rooted in the fact that the encryption key used to secure the information during login using social media accounts is hard-coded, thus leading to a scenario where attackers could create a valid request with a properly encrypted email address used to identify the user.
Should the account belong to the WordPress site administrator, it could result in a complete compromise. The plugin is used on more than 30,000 sites.
The advisory follows the discovery of a high-severity flaw affecting LearnDash LMS plugin, a WordPress plugin with over 100,000 active installations, that could permit any user with an existing account to reset arbitrary user passwords, including those with administrator access.
The bug (CVE-2023-3105, CVSS score: 8.8), has been patched in version 4.6.0.1 that was shipped on June 6, 2023.
It also comes weeks after Patchstack detailed a cross-site request forgery (CSRF) vulnerability in the UpdraftPlus plugin (CVE-2023-32960, CVSS score: 7.1) that could allow an unauthenticated attacker to steal sensitive data and elevate privileges by tricking a user with administrative permissions to visit a crafted WordPress site URL.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for attackers with with existing account access at any level, to change user passwords and potentially take over administrator accounts.
The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5.
WordPress Social Login and Register plugin versions 7.6.4 and below suffer from an authentication bypass vulnerability.
WordPress LearnDash LMS version 4.6.0 suffers from an insecure direct object reference vulnerability.
Cross-Site Request Forgery (CSRF) vulnerability in UpdraftPlus.Com, DavidAnderson UpdraftPlus WordPress Backup Plugin <= 1.23.3 versions leads to sitewide Cross-Site Scripting (XSS).