PT-2023-17425 · WordPress · Zm Ajax Login & Register

István Márton

Published

2023-04-15

Updated

2023-04-24

CVE-2023-2027

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ZM Ajax Login & Register plugin for WordPress versions up to, and including, 2.0.2

Description The issue is related to insufficient verification on the user being supplied during a Facebook login through the plugin. This allows unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

Recommendations For versions up to, and including, 2.0.2, update to a version later than 2.0.2 to resolve the issue. As a temporary workaround, consider disabling Facebook login through the plugin until a patch is available. Restrict access to administrative accounts to minimize the risk of exploitation.

Fix

Improper Authentication

Authentication Bypass Using an Alternate Path or Channel

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-288

Related Identifiers

CVE-2023-2027

Affected Products

Zm Ajax Login & Register

PT-2023-17425 · WordPress · Zm Ajax Login & Register

CVE-2023-2027

Weakness Enumeration

Related Identifiers

Affected Products

References · 5