There is a serious security vulnerability in miniOrange’s Social Login and Register plugin for WordPress, which might make it possible for a malevolent actor to log in since any email address that users submit is already known.
The authentication bypass vulnerability, which affects all versions of the plugin, including those older than 7.6.4, is tracked as CVE-2023-2982 (CVSS score: 9.8). After responsible disclosure on June 2, 2023, it was addressed on June 14, 2023, with the release of version 7.6.5.
“The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address,” István Márton, a researcher at Wordfence,
The problem stems from the fact that the encryption key used to protect the data when logging in with social media accounts is hard-coded. This means that an attacker may be able to generate a legitimate request using an appropriately encrypted email address, which would allow them to identify the user.
If the WordPress site administrator’s account is involved, there may be a total compromise. There are over 30,000 websites that use the plugin.
The warning was issued after a high-severity defect impacting LearnDash LMS plugin
a WordPress plugin with more than 100,000 active installations that might allow any user to reset any password, even administrator passwords, for any user who already has an account.
Version 184.108.40.206, which was released on June 6, 2023, includes a fix for the bug (CVE-2023-3105, CVSS score: 8.8).
Additionally, it occurs several weeks after Patchstack disclosed a cross-site request forgery (CSRF) flaw in the UpdraftPlus plugin (CVE-2023-32960, CVSS score: 7.1) that, by deceiving a user with administrative permissions into visiting a crafted WordPress site URL, could enable an unauthenticated attacker to elevate privileges and steal confidential data.