"miniOrange's WordPress Social Login and Register Plugin Was Affected by a Critical Auth Bypass Bug"
Wordfence researchers have found a vulnerability in miniOrange's WordPress Social Login and Register plugin that allows an unauthenticated attacker to gain access to any account on a website by knowing the associated email address. Instead of requiring visitors to spend time filling out a traditional registration form, the plugin enables them to register/login to a website using their social media profiles. More than 30,000 WordPress websites have actively installed the plugin. The vulnerability, tracked as CVE-2023-2982, with a CVSS Score of 9.8, affects versions up to 7.6.4. According to the researchers, the encryption key used to protect the information used during the login process via social media accounts is hardcoded and is not unique for each WordPress installation. This allows attackers to craft a valid request containing a properly encrypted email address, which vulnerable plugin versions use to determine the user during the login process. This article continues to discuss the critical authentication bypass flaw found in miniOrange's WordPress Social Login and Register plugin that can allow access to any account on a site.