Critical Security Flaw in Social Login Plugin for WordPress Exposes Users’ Accounts

A critical security flaw has been disclosed in miniOrange’s Social Login and Register plugin for WordPress that could enable a malicious actor to log in as any user-provided information about email address is already known.

Tracked as CVE-2023-2982 (CVSS score: 9.8), the authentication bypass flaw impacts all versions of the plugin, including and prior to 7.6.4. It was addressed on June 14, 2023, with the release of version 7.6.5 following responsible disclosure on June 2, 2023.

“The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address,” Wordfence researcher István Márton said.

The issue is rooted in the fact that the encryption key used to secure the information during login using social media accounts is hard-coded, thus leading to a scenario where attackers could create a valid request with a properly encrypted email address used to identify the user.

Should the account belong to the WordPress site administrator, it could result in a complete compromise. The plugin is used on more than 30,000 sites.

The advisory follows the discovery of a high-severity flaw affecting LearnDash LMS plugin, a WordPress plugin with over 100,000 active installations, that could permit any user with an existing account to reset arbitrary user passwords, including those with administrator access.

The bug (CVE-2023-3105, CVSS score: 8.8), has been patched in version 4.6.0.1 that was shipped on June 6, 2023.

It also comes weeks after Patchstack detailed a cross-site request forgery (CSRF) vulnerability in the UpdraftPlus plugin (CVE-2023-32960, CVSS score: 7.1) that could allow an unauthenticated attacker to steal sensitive data and elevate privileges by tricking a user with administrative permissions to visit a crafted WordPress site URL.