CVE-2023-2982

The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lana.codes/lanavdb/2326f41f-a39f-4fde-8627-9d29fff91443/	Product
https://plugins.trac.wordpress.org/browser/miniorange-login-openid/trunk/mo-openid-social-login-functions.php#L107	Product
https://plugins.trac.wordpress.org/changeset/2924863/miniorange-login-openid	Product
https://plugins.trac.wordpress.org/changeset/2925914/miniorange-login-openid	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/08ca186a-2486-4a58-9c53-03e9eba13e66?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:miniorange:wordpress_social_login_and_register_\(discord\,_google\,_twitter\,_linkedin\):*:*:*:*:*:wordpress:*:*

History

07 Nov 2023, 04:13

Type	Values Removed	Values Added
CWE	~~CWE-288~~

06 Jul 2023, 21:04

Type	Values Removed	Values Added
First Time		Miniorange Miniorange wordpress Social Login And Register \(discord\, Google\, Twitter\, Linkedin\)
References	~~(MISC) https://plugins.trac.wordpress.org/changeset/2924863/miniorange-login-openid -~~	(MISC) https://plugins.trac.wordpress.org/changeset/2924863/miniorange-login-openid - Product
References	~~(MISC) https://lana.codes/lanavdb/2326f41f-a39f-4fde-8627-9d29fff91443/ -~~	(MISC) https://lana.codes/lanavdb/2326f41f-a39f-4fde-8627-9d29fff91443/ - Product
References	~~(MISC) https://plugins.trac.wordpress.org/changeset/2925914/miniorange-login-openid -~~	(MISC) https://plugins.trac.wordpress.org/changeset/2925914/miniorange-login-openid - Product
References	~~(MISC) https://plugins.trac.wordpress.org/browser/miniorange-login-openid/trunk/mo-openid-social-login-functions.php#L107 -~~	(MISC) https://plugins.trac.wordpress.org/browser/miniorange-login-openid/trunk/mo-openid-social-login-functions.php#L107 - Product
References	~~(MISC) https://www.wordfence.com/threat-intel/vulnerabilities/id/08ca186a-2486-4a58-9c53-03e9eba13e66?source=cve -~~	(MISC) https://www.wordfence.com/threat-intel/vulnerabilities/id/08ca186a-2486-4a58-9c53-03e9eba13e66?source=cve - Third Party Advisory
CPE		cpe:2.3:a:miniorange:wordpress_social_login_and_register_\(discord\,_google\,_twitter\,_linkedin\)::::::wordpress::*

29 Jun 2023, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-06-29 02:15

Updated : 2023-12-10 15:01

NVD link : CVE-2023-2982

Mitre link : CVE-2023-2982

CVE.ORG link : CVE-2023-2982

JSON object : View

Products Affected

miniorange

wordpress_social_login_and_register_\(discord\,_google\,_twitter\,_linkedin\)

CWE

No CWE.

9.8 /10