Login Sign Up

CVE-2023-2982

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated attackers to bypass authentication in the WordPress Social Login and Register plugin by exploiting insufficient encryption during login validation. Attackers can log in as any existing user, including administrators, if they know the user's email address. All WordPress sites using vulnerable plugin versions are affected.

💻 Affected Systems

Products:
  • WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin
Versions: Up to and including 7.6.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability affects all WordPress installations using the plugin in vulnerable versions, regardless of configuration.

📦 What is this software?

Wordpress Social Login And Register \(discord\, Google\, Twitter\, Linkedin\) by Miniorange

View all CVEs affecting Wordpress Social Login And Register \(discord\, Google\, Twitter\, Linkedin\) →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover by attackers logging in as administrators, leading to data theft, malware injection, defacement, or ransomware deployment.

🟠

Likely Case

Attackers gain administrative access to compromise the site, steal sensitive data, or install backdoors for persistent access.

🟢

If Mitigated

Limited impact if strong network controls, monitoring, and user privilege restrictions are in place, though authentication bypass remains a critical issue.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only the target user's email address, making it straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.6.5

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2925914/miniorange-login-openid

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Social Login and Register' plugin. 4. Click 'Update Now' to version 7.6.5 or later. 5. Verify update completes successfully.

🔧 Temporary Workarounds

Disable the vulnerable plugin

all

Temporarily deactivate the plugin to prevent exploitation until patching is possible.

wp plugin deactivate miniorange-login-openid

🧯 If You Can't Patch

  • Disable the plugin immediately to eliminate the attack vector.
  • Implement network-level controls to restrict access to WordPress login pages from untrusted sources.

🔍 How to Verify

Check if Vulnerable:

Check the plugin version in WordPress admin under Plugins > Installed Plugins. If version is 7.6.4 or lower, the site is vulnerable.

Check Version:

wp plugin get miniorange-login-openid --field=version

Verify Fix Applied:

Confirm the plugin version is 7.6.5 or higher after updating. Test social login functionality to ensure it works without allowing unauthorized access.

📡 Detection & Monitoring

Log Indicators:

  • Unusual login attempts via social login endpoints, especially with mismatched user-agent or IP patterns.
  • Multiple failed or successful logins for different users from the same source in short timeframes.

Network Indicators:

  • Increased traffic to /wp-content/plugins/miniorange-login-openid/ endpoints from suspicious IPs.

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-content/plugins/miniorange-login-openid/" OR message="*social login*" OR message="*authentication bypass*")

📊 Metadata

CVE ID: CVE-2023-2982
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: June 29, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON