Critical Security Flaw in Social Login Plugin for WordPress Exposes Users' Accounts

Cyber Security Threat Summary:
Wordfence recently disclosed a critical flaw in miniOrange's Social Login and Register plugin for WordPress, which could be leveraged by a malicious threat actor to access any account on websites running the vulnerable plugin. Tracked as CVE-2023-2982 (CVSS score: 9.8), the flaw has been described as an authentication bypass flaw and impacts all versions of the plugin, including and prior to 7.6.4. The vulnerability is due to insufficient encryption on the user being supplied during a login validated via the plugin. As such, an unauthenticated actor can log in to any existing user on the site, even the administrator, given that they know or can find the associated email address.

“While encrypting this information would normally provide protection against manipulating the request and prevent identity spoofing, we unfortunately found that the encryption key is hardcoded in vulnerable versions of the plugin, which means that threat actors also had access to the key which was not unique per WordPress installation. This makes it possible for attackers to craft a valid request containing a properly encrypted email address which vulnerable versions of the plugin use during the login process to determine the user,” noted Wordfence in a recent blog post.

Security Officer Comments:
Wordfence did not close whether the flaw was exploited in attacks in the wild. Given that WordPress websites have had a track record of being targeted by malicious threat actors, it’s important that administrators update their sites to the latest version of WordPress Social Login and Register as soon as possible.

Suggested Correction(s):
With the latest flaw enabling threat actors to potentially gain access to the administrator account, attackers could use the access to fully compromise the website and further infect unsuspecting visitors to the site. If you are running any of the vulnerable plugin versions, please ensure you update to the latest version which is 7.6.5. To further secure accounts, website administrators should enable two-factor authentication, as this adds an additional layer of security.

Link(s):
https://thehackernews.com/2023/06/critical-security-flaw-in-social-login.html