PT-2024-38393 · WordPress · Woocommerce - Social Login
Truoc Phan
·
Published
2024-08-10
·
Updated
2025-02-07
·
CVE-2024-7503
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WooCommerce - Social Login plugin for WordPress versions up to 2.7.5
Description
The issue is due to the use of loose comparison of the activation code in the
woo slg confirm email user function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the userID. The email module must be enabled for this issue to occur.Recommendations
For WooCommerce - Social Login plugin for WordPress versions up to 2.7.5, consider disabling the
woo slg confirm email user function until a patch is available to prevent authentication bypass.
Additionally, restrict access to the email module to minimize the risk of exploitation.Fix
Missing Authentication
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Woocommerce - Social Login