CVE-2023-2704
📋 TL;DR
The BP Social Connect WordPress plugin versions up to 1.5 have an authentication bypass vulnerability that allows unauthenticated attackers to log in as any existing user, including administrators, if they have access to the user's email address. This occurs due to insufficient verification during Facebook login integration. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- BP Social Connect WordPress Plugin
📦 What is this software?
Bp Social Connect by Vibethemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to WordPress sites, enabling complete site takeover, data theft, malware injection, and further network compromise.
Likely Case
Attackers compromise user accounts, steal sensitive data, deface websites, or install backdoors for persistent access.
If Mitigated
With proper monitoring and limited user accounts, impact is reduced to unauthorized access to non-privileged accounts only.
🎯 Exploit Status
Exploitation requires knowledge of target user email addresses, which can often be obtained through enumeration or public sources.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.6 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find BP Social Connect plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.6+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable Facebook Login Feature
allTemporarily disable the vulnerable Facebook login functionality in plugin settings.
Deactivate Plugin
linuxCompletely deactivate the BP Social Connect plugin until patched.
wp plugin deactivate bp-social-connect
🧯 If You Can't Patch
- Disable or remove the BP Social Connect plugin immediately.
- Implement strict network access controls to limit exposure to the WordPress admin interface.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for BP Social Connect version 1.5 or earlier.Check Version:
wp plugin get bp-social-connect --field=versionVerify Fix Applied:
Confirm plugin version is 1.6 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual login patterns from Facebook OAuth endpoints
- Multiple failed login attempts followed by successful logins from new IPs
- Administrator account logins from unexpected locations
Network Indicators:
- HTTP POST requests to /wp-content/plugins/bp-social-connect/includes/social/facebook/ endpoints with manipulated parameters
SIEM Query:
source="wordpress.log" AND ("bp-social-connect" OR "facebook-login") AND (status=200 OR "login successful")🔗 References
- https://lana.codes/lanavdb/1bd0dfd9-ffec-4d69-bc55-286751300cab/
- https://plugins.trac.wordpress.org/browser/bp-social-connect/tags/1.5/includes/social/facebook/class.facebook.php#L138
- https://plugins.trac.wordpress.org/browser/bp-social-connect/tags/1.5/includes/social/facebook/class.facebook.php#L188
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2914042%40bp-social-connect%2Ftrunk&old=1904372%40bp-social-connect%2Ftrunk&sfp_email=&sfph_mail=#file6
- https://www.wordfence.com/threat-intel/vulnerabilities/id/44c96df2-530a-4ebe-b722-c606a7b135f9?source=cve
- https://lana.codes/lanavdb/1bd0dfd9-ffec-4d69-bc55-286751300cab/
- https://plugins.trac.wordpress.org/browser/bp-social-connect/tags/1.5/includes/social/facebook/class.facebook.php#L138
- https://plugins.trac.wordpress.org/browser/bp-social-connect/tags/1.5/includes/social/facebook/class.facebook.php#L188
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2914042%40bp-social-connect%2Ftrunk&old=1904372%40bp-social-connect%2Ftrunk&sfp_email=&sfph_mail=#file6
- https://www.wordfence.com/threat-intel/vulnerabilities/id/44c96df2-530a-4ebe-b722-c606a7b135f9?source=cve
