CVE-2024-6636 – The WooCommerce Social Login plugin for WordPre... (How to Fix)

Q: What is the severity of CVE-2024-6636?

CVE-2024-6636 has a CVSS score of 9.8 (CRITICAL). The WooCommerce Social Login plugin for WordPress has an authentication bypass vulnerability that allows unauthenticated attackers to register accounts with Administrator privileges. This affects all versions up to 2.7.3. Any WordPress site using this plugin is vulnerable to complete takeover.

📋 TL;DR

The WooCommerce Social Login plugin for WordPress has an authentication bypass vulnerability that allows unauthenticated attackers to register accounts with Administrator privileges. This affects all versions up to 2.7.3. Any WordPress site using this plugin is vulnerable to complete takeover.

💻 Affected Systems

Products:

WooCommerce - Social Login WordPress Plugin

Versions: All versions up to and including 2.7.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when plugin is active. No special configuration required.

📦 What is this software?

Woocommerce Social Login by Wpwebelite

View all CVEs affecting Woocommerce Social Login →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise - attackers gain full administrative control, can install backdoors, steal data, deface site, or use as pivot point for further attacks.

🟠

Likely Case

Attackers create admin accounts to maintain persistent access, install malware, or exfiltrate sensitive data.

🟢

If Mitigated

With proper monitoring and least privilege, impact limited to detection and cleanup of unauthorized accounts.

🌐 Internet-Facing: HIGH - WordPress sites are internet-facing by design, and this is an unauthenticated exploit.

🏢 Internal Only: LOW - This primarily affects internet-facing WordPress installations.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request manipulation required. Public exploit details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.4 or later

Vendor Advisory: https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'WooCommerce Social Login'. 4. Click 'Update Now' if available. 5. If not, download latest version from vendor and upload manually.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate woo-social-login

Restrict Registration

all

Disable user registration in WordPress settings

wp option update users_can_register 0

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block requests to vulnerable endpoints
Enable detailed logging of user registration events and monitor for suspicious admin account creation

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin → Plugins → Installed Plugins. If version is 2.7.3 or lower, you are vulnerable.

Check Version:

wp plugin get woo-social-login --field=version

Verify Fix Applied:

Verify plugin version is 2.7.4 or higher. Test registration functionality to ensure normal user role assignment.

📡 Detection & Monitoring

Log Indicators:

Unusual user registration events
New admin account creation from unexpected IPs
Multiple failed registration attempts followed by successful admin creation

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with action=woo_slg_login_email containing role parameter

SIEM Query:

source="wordpress.log" AND "user registration" AND ("administrator" OR "role=administrator")

📊 Metadata

CVE ID: CVE-2024-6636

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: July 20, 2024

Last Updated: February 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6636, you might also want to check these: