A critical security flaw has been revealed in miniOrange’s social login and registration plugin for WordPress, which could allow a malicious attacker to log in because user-provided information about email addresses is known.
This authentication bypass flaw, tracked as CVE-2023-2982 (CVSS score: 9.8), affects all versions of the plugin, including 7.6.4 and earlier. This issue was addressed on June 14, 2023 and version 7.6.5 was released following responsible disclosure on June 2, 2023.
“This vulnerability allows an unauthenticated attacker to access any account on the site, including accounts used to administer the site, if the associated email address is known or can be found. says Wordfence researcher István Marton.
The root cause of this issue is that the encryption keys used to protect information when logging in using social media accounts are hard-coded, allowing an attacker to properly encrypt the data used to identify users. This leads to a scenario where a valid request could be made using an encrypted email address. .
If the account belongs to a WordPress site admin, it can lead to a complete compromise. This plugin is used by over 30,000 of his sites.
This advisory follows the discovery of a high-severity flaw affecting the LearnDash LMS plugin, a WordPress plugin with over 100,000 active installations, which could cause an existing Any user with an account (including those with administrator access) may be able to reset any user’s password.
This bug (CVE-2023-3105, CVSS score: 8.8) was patched in version 4.6.0.1, which shipped on June 6, 2023.
This also came a few weeks after Patchstack detailed a Cross-Site Request Forgery (CSRF) vulnerability (CVE-2023-32960, CVSS score: 7.1) in the UpdraftPlus plugin. This vulnerability could allow an unauthenticated attacker to trick a user into stealing sensitive data and elevating their privileges. You need admin privileges to access the created WordPress site URL.
