PT-2026-57277 · WordPress · Miniorange Social Login/Register
Supakiad S
·
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-12761
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) versions prior to 7.7.1
Description
An authentication bypass exists in the Profile Completion flow that allows for account takeover. The issue occurs because the plugin accepts an arbitrary email address via the
email field POST parameter without verifying if the email belongs to the identity provided by the OAuth provider. Additionally, the send otp token() function returns a transaction hash to the client generated by SHA-512 of the customer key and the One-Time Password (OTP). Since the OTP space is limited to 99,000 values and the customer key is a static option, an unauthenticated attacker can trigger an OTP email to an administrator's address, crack the OTP offline using the leaked hash, and submit it to the mo openid social login validate otp() function to gain full administrator access.Recommendations
Update the plugin to a version newer than 7.7.0.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Miniorange Social Login/Register