PRIOn knowledge basePRION:CVE-2023-2982

HistoryJun 29, 2023 - 2:15 a.m.

Authentication flaw

2023-06-2902:15:00

PRIOn knowledge base

www.prio-n.com

wordpress

authentication bypass

vulnerable plugin

insufficient encryption

unauthenticated attackers

administrator access

version 7.6.4

version 7.6.5.

9.5 High

AI Score

Confidence

High

0.012 Low

EPSS

Percentile

85.4%

JSON

The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5.

CPENameOperatorVersion
wordpress_social_login_and_register_\\(discord\\,_google\\,_twitter\\,_linkedin\\)lt7.6.5

CPE	Name	Operator	Version
	wordpress_social_login_and_register_\\(discord\\,_google\\,_twitter\\,_linkedin\\)	lt	7.6.5

References

lana.codes/lanavdb/2326f41f-a39f-4fde-8627-9d29fff91443/

plugins.trac.wordpress.org/browser/miniorange-login-openid/trunk/mo-openid-social-login-functions.php

plugins.trac.wordpress.org/changeset/2924863/miniorange-login-openid

plugins.trac.wordpress.org/changeset/2925914/miniorange-login-openid

www.wordfence.com/threat-intel/vulnerabilities/id/08ca186a-2486-4a58-9c53-03e9eba13e66?source=cve