Maxntv

#11298of 53,622
24.4Total CVSS
Vulnerabilities · 3
High
2
Critical
1
PT-2024-37764
7.3
2024-07-20
WordPress · Woocommerce - Social Login · CVE-2024-6635
**Name of the Vulnerable Software and Affected Versions** WooCommerce - Social Login plugin for WordPress versions up to, and including, 2.7.3 **Description** The issue is related to authentication bypass due to insufficient controls in the `woo slg login email` function. This allows unauthenticated attackers to log in as any existing user on the site, excluding an administrator, if they know the email of the user. **Recommendations** For versions up to, and including, 2.7.3, update to a version higher than 2.7.3 to resolve the issue. As a temporary workaround, consider disabling the `woo slg login email` function until a patch is available.
PT-2024-37765
9.8
2024-07-20
WordPress · Woocommerce - Social Login · CVE-2024-6636
**Name of the Vulnerable Software and Affected Versions** WooCommerce - Social Login plugin for WordPress versions up to, and including, 2.7.3 **Description** The issue allows unauthorized modification of data due to a missing capability check on the `woo slg login email` function. This enables unauthenticated attackers to change the default role to Administrator while registering for an account. **Recommendations** For versions up to, and including, 2.7.3, update to a version higher than 2.7.3 to resolve the issue. As a temporary workaround, consider disabling the `woo slg login email` function until a patch is available. Restrict access to user registration to minimize the risk of exploitation.
PT-2024-37766
7.3
2024-07-20
WordPress · Woocommerce - Social Login · CVE-2024-6637
**Name of the Vulnerable Software and Affected Versions** WooCommerce - Social Login plugin for WordPress versions up to, and including, 2.7.3 **Description** The issue is related to unauthenticated privilege escalation due to a lack of brute force controls on a weak one-time password. This allows unauthenticated attackers to brute force the one-time password for any user, except an Administrator, if they know the email of the user. **Recommendations** For versions up to, and including, 2.7.3, update to a version that includes brute force controls on the one-time password to prevent unauthenticated privilege escalation. As a temporary workaround, consider restricting access to the one-time password feature until a patch is available.