PT-2026-57277 · WordPress · Miniorange Social Login/Register

Supakiad S

·

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-12761

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) versions prior to 7.7.1
Description An authentication bypass exists in the Profile Completion flow that allows for account takeover. The issue occurs because the plugin accepts an arbitrary email address via the email field POST parameter without verifying if the email belongs to the identity provided by the OAuth provider. Additionally, the send otp token() function returns a transaction hash to the client generated by SHA-512 of the customer key and the One-Time Password (OTP). Since the OTP space is limited to 99,000 values and the customer key is a static option, an unauthenticated attacker can trigger an OTP email to an administrator's address, crack the OTP offline using the leaked hash, and submit it to the mo openid social login validate otp() function to gain full administrator access.
Recommendations Update the plugin to a version newer than 7.7.0.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-12761

Affected Products

Miniorange Social Login/Register