HQ/EMEAFind out how we can help your business
Researchers discovered a critical vulnerability in WordPress’s miniOrange Social Login and Register plugin. Based on reports, the newly discovered flaw could allow an unauthorised actor to log in as any user if it could provide a valid email address.
The vulnerability in question is CVE-2023-2982, with a severity score of 9.8 out of 10. This authentication bypass flaw could affect all plugin versions before 7.6.4. The admins addressed the flaw last month by releasing patch 7.6.5 following the responsible disclosure in early June.
The critical vulnerability in the miniOrange plugin could theoretically allow an attacker to acquire access to any account on a website.
According to an investigation, the flaw in the miniOrange plugin could allow an unauthenticated hacker to acquire access to any account on a website, including versions utilised to manage the site, if the attacker knows or could locate the associated email address.
In addition, the researchers believe that the issue came from the encryption key used by the admins to secure the information login using hard-coded social media accounts. Hence, this method could lead to an event where the threat actors could generate a valid request with a properly encrypted email address utilised to identify the user.
However, a WordPress site admin owning an account could result in a complete compromise. A recent tally showed that the plugin serves more than 30,000 websites.
This advisory occurred after discovering another high-severity vulnerability that affects the LearnDash LMS plugin. This WordPress plugin has acquired over 100,000 active installations that could permit users with an existing account to reset arbitrary user passwords, including those with admin access.
The flaw in this issue is CVE-2023-3105, with a critical severity score of 8.8 out of 10. Fortunately, the plugin administrators released patch 4.6.0.1 last month to address the situation.
These plugin vulnerabilities could be detrimental to site owners and users as they could inflict different types of damage. Website details and user information are all susceptible to threat actors that could exploit a flaw. Therefore, site admins should immediately employ patches as soon as it becomes available.
