Skip to content

MiniOrange’s WordPress Social Login and Register plugin found vulnerable

  • by
  • 2 min read

In May, cybersecurity researchers at Wordfence Threat Intelligence discovered a critical Authentication Bypass vulnerability in the Wordpress Social Login and Register Plugin developed by miniOrange, allowing attackers to access user accounts via the associated email address.

Upon notifying miniOrange, the company released a patch, version 7.6.4, on June 12. However, the patch wasn’t much effective as it still contained a vulnerability. A fully patched version, 7.6.5, was subsequently released on June 14. The flaw potentially affects over 30,000 Wordpress websites.

All users using the Wordpress Social Login and Register plugin are requested to update their website to version 7.6.5 immediately to ensure they are protected against this security risk.

The vulnerability in the Wordpress Social Login and Register plugin arises from insufficient encryption during the login process. Specifically, the plugin does not adequately encrypt the user data supplied during login validation, allowing unauthenticated attackers to log in as any existing user on the site, including administrators if they possess the associated email address.

While the initial patch addresses some aspects of the vulnerability, it was only fully resolved in version 7.6.5.

Source: Wordfence

Detailed technical analysis revealed that the encryption key used in vulnerable plugin versions was hardcoded, not unique paper Wordpress installation. This critical oversight enabled threat actors to create valid requests containing properly encrypted email addresses, bypassing authentication and gaining access to arbitrary user accounts.

Exploiting authentication bypass vulnerabilities can lead to the complete compromise of the Wordpress site and further malicious activities.

The disclosure timeline indicates that Wordfence engaged with miniOrange and provided full vulnerability details. The security company, although delayed, released firewall rules to protect its premium users against potential exploits. The delay in releasing the firewall rule for free users was to prevent disruption of the plugin’s core functionality.

Many Wordpress plugins have been vulnerable, including WooCommerce, Advanced Custom Field, and Elementor Pro.

In the News: OpenAI faces lawsuit for alleged data theft in training ChatGPT

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>