A vital safety flaw has been disclosed in miniOrange’s Social Login and Register plugin for WordPress that might allow a malicious actor to log in as any user-provided details about e mail handle is already identified.
Tracked as CVE-2023-2982 (CVSS rating: 9.8), the authentication bypass flaw impacts all variations of the plugin, together with and previous to 7.6.4. It was addressed on June 14, 2023, with the discharge of model 7.6.5 following accountable disclosure on June 2, 2023.
“The vulnerability makes it potential for an unauthenticated attacker to realize entry to any account on a web site together with accounts used to manage the location, if the attacker is aware of, or can discover, the related e mail handle,” Wordfence researcher István Márton mentioned.
The difficulty is rooted in the truth that the encryption key used to safe the knowledge throughout login utilizing social media accounts is hard-coded, thus resulting in a state of affairs the place attackers may create a legitimate request with a correctly encrypted e mail handle used to establish the consumer.
Ought to the account belong to the WordPress web site administrator, it may end in a whole compromise. The plugin is used on greater than 30,000 websites.
The advisory follows the discovery of a high-severity flaw affecting LearnDash LMS plugin, a WordPress plugin with over 100,000 lively installations, that might allow any consumer with an current account to reset arbitrary consumer passwords, together with these with administrator entry.
The bug (CVE-2023-3105, CVSS rating: 8.8), has been patched in model 4.6.0.1 that was shipped on June 6, 2023.
It additionally comes weeks after Patchstack detailed a cross-site request forgery (CSRF) vulnerability within the UpdraftPlus plugin (CVE-2023-32960, CVSS rating: 7.1) that might permit an unauthenticated attacker to steal delicate information and elevate privileges by tricking a consumer with administrative permissions to go to a crafted WordPress web site URL.
