Critical Security Flaw in Social Login Plugin for WordPress Exposes Users’ Accounts

29-06-2023
Share
Critical Security Flaw in Social Login Plugin for WordPress Exposes Users’ Accounts

A critical security flaw has been disclosed in miniOrange’s Social Login and Register plugin for WordPress that could enable a malicious actor to log in as any user-provided information about email address is already known.

Tracked as CVE-2023-2982 (CVSS score: 9.8), the authentication bypass flaw impacts all versions of the plugin, including and prior to 7.6.4. It was addressed on June 14, 2023, with the release of version 7.6.5 following responsible disclosure on June 2, 2023.

“The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address,” Wordfence researcher István Márton said.

The advisory follows the discovery of a high-severity flaw affecting LearnDash LMS plugin, a WordPress plugin with over 100,000 active installations, that could permit any user with an existing account to reset arbitrary user passwords, including those with administrator access.

The bug (CVE-2023-3105, CVSS score: 8.8), has been patched in version 4.6.0.1 that was shipped on June 6, 2023.

It also comes weeks after Patchstack detailed a cross-site request forgery (CSRF) vulnerability in the UpdraftPlus plugin (CVE-2023-32960, CVSS score: 7.1) that could allow an unauthenticated attacker to steal sensitive data and elevate privileges by tricking a user with administrative permissions to visit a crafted WordPress site URL.

 

Source: https://thehackernews.com/