PT-2023-3468 · WordPress · Wordpress Social Login/Register
István Márton
+1
·
Published
2023-05-27
·
Updated
2023-12-08
·
CVE-2023-2982
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
WordPress Social Login and Register plugin versions up to and including 7.6.4
Description
The issue is related to an authentication bypass in the WordPress Social Login and Register plugin. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. It makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user.
Recommendations
For versions up to and including 7.6.4, update to version 7.6.5 to fully patch the issue.
As a temporary workaround, consider restricting access to the login functionality until the update is applied.
Exploit
Fix
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wordpress Social Login/Register