CVE-2023-2704

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions BP Social Connect plugin for WordPress versions up to, and including, 1.5

Description The issue is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.

Recommendations For versions up to, and including, 1.5, update to a version that includes the necessary verification to prevent authentication bypass. As a temporary workaround, consider restricting access to the Facebook login feature through the plugin until a patch is available.

Exploit

Fix

Authentication Bypass Using an Alternate Path or Channel

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-288CWE-306

Related Identifiers

CVE-2023-2704

Affected Products

Social Connect

CVE-2023-2704

Weakness Enumeration

Related Identifiers

Affected Products

References · 10