CVE-2024-9106

Name of the Vulnerable Software and Affected Versions Wechat Social login plugin for WordPress versions up to, and including, 1.3.0

Description The issue is due to insufficient verification on the user being supplied during the social login, making it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. This is only exploitable if the app secret is not set, so it has a default empty value.

Recommendations For versions up to, and including, 1.3.0, update to a version that includes the fix for this issue. As a temporary workaround, consider setting a non-empty value for the app secret to prevent exploitation. Additionally, restrict access to the social login feature until the issue is resolved.