Critical Security Flaw in miniOrange Social Login Plugin for WordPress
Take action: Another urgent patch to your WordPress if you are using miniOrange Social Login and Register. If you leave this one unpatched, you may find yourself locked out of your own WordPress.
Learn More
MiniOrange's Social Login and Register plugin for WordPress has been found to have a critical security flaw that could have serious implications. IMiniOrange Social Login and Register plugin is utilized by over 30,000 sites, which is a great reason for a lot of concern about the potential impact of this vulnerability.
CVE-2023-2982 - CVSS score of 9.8, allows an attacker to log in as any user if they have access to the user's email address.
The flaw affects all versions of the plugin, including version 7.6.4 and earlier.
To address this issue, the plugin developers released version 7.6.5 on June 14, 2023
The vulnerability enables an unauthenticated attacker to gain unauthorized access to any account on a website. This includes accounts with administrative privileges if the attacker has knowledge of or can discover the associated email address.
The problem stems from the fact that the encryption key used for securing login information through social media accounts is hardcoded. Consequently, attackers can exploit this flaw by crafting a valid request with a properly encrypted email address to impersonate the user.
If the compromised account happens to belong to a WordPress site administrator, the consequences could be severe as it could result in a complete compromise of the site.
