PT-2025-10406 · WordPress · Miniorange Social Login/Register Pro Addon
Wesley
·
Published
2025-03-08
·
Updated
2025-03-13
·
CVE-2024-11087
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon plugin for WordPress versions up to, and including, 200.3.9
Description
The issue is related to insufficient verification of the user being returned by the social login token, allowing unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token.
Recommendations
For versions up to, and including, 200.3.9, update to a version that includes proper verification of the user returned by the social login token to prevent authentication bypass.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Miniorange Social Login/Register Pro Addon