Pierluigi Paganini June 30, 2023

A critical authentication bypass flaw in miniOrange’s WordPress Social Login and Register plugin, can allow gaining access to any account on a site.

Wordfence researchers discovered an authentication bypass vulnerability in miniOrange’s WordPress Social Login and Register plugin, that can allow an unauthenticated attacker to gain access to any account on a site by knowing the associated email address.

WordPress Social Login Plugin allows social login, social share & commenting using widely used apps like Facebook, Google, LinkedIn, Twitter, Apple, Discord, Twitch, Line, Wechat, 40 other apps available. Instead of requiring visitors to waste time filling out the typical registration form, it allows them to register/login to a website using their social media profiles.

The plugin is actively installed on more than 30,000 WordPress websites. The flaw, tracked as CVE-2023-2982 (CVSS Score: 9.8) impacts versions up to, and including, 7.6.4.

“This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user.” reads the advisory published by WordFence. “This was partially patched in version 7.6.4 and fully patched in version 7.6.5.”

The researchers discovered that the encryption key used to protect the information used during the login process through social media accounts is hardcoded and was not unique per WordPress installation.

“This makes it possible for attackers to craft a valid request containing a properly encrypted email address which vulnerable versions of the plugin use during the login process to determine the user.” continues the report. “Ultimately, this makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plugin.”

If the attacker takes over privileged user accounts, he will be able to completely compromise a WordPress site using the vulnerable plugin.

Below is the timeline for this issue:

May 28, 2023 – Discovery of the Authentication Bypass vulnerability in WordPress Social Login and Register.
May 30, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
June 2, 2023 – The vendor confirms the inbox for handling the discussion.
June 2, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
June 2, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. Please note we delayed the firewall rule to prevent completely breaking the plugin’s core functionality.
June 14, 2023 – A fully patched version of the plugin, 7.6.5, is released.
July 2, 2023 – Wordfence Free users receive the same protection.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)