Critical Security Flaw in Social Login Plugin for WordPress Exposing User Accounts
A critical security flaw has been disclosed at miniOrange’s Social Login and List Plugin for WordPress that allows bad actors to log in because the user-provided information about the email address is already known.
Tracked as CVE-2023-2982 (CVSS score: 9.8), the authentication bypass flaw affects all versions of the plugin, including and prior to 7.6.4. It was addressed on June 14, 2023, with the release of version 7.6.5 after responsible disclosure on June 2, 2023.
“The vulnerability could allow an unauthenticated attacker to gain access to any account on the site including the account used to administer the site, if the attacker knew, or could find, the associated email address,” Wordfence researcher István Márton said.
The problem is rooted in the fact that the encryption keys used to secure information during logins using social media accounts are hard-coded, leading to scenarios where attackers can make valid requests with properly encrypted email addresses used to identify users. .
If the account belongs to the administrator of the WordPress site, it can result in a total compromise. This plugin is used on more than 30,000 sites.
Advisors follow invention of defects with high severity affecting LearnDash LMS pluginsa WordPress plugin with over 100,000 active installations, which can allow any user with an existing account to reset an arbitrary user’s password, including those with administrator access.
Bug (CVE-2023-3105, CVSS score: 8.8), was patched in version 4.6.0.1 which shipped on 6 June 2023.
It also comes a few weeks after Patchstack detailed cross-site request forgery (CSRF) vulnerability in Updraft Plus plugin (CVE-2023-32960, CVSS score: 7.1) which allows unauthenticated attackers to steal sensitive data and elevate privileges by tricking users with administrative permissions into visiting a custom WordPress site URL.
