Critical flaw exposes accounts in WordPress plugins

A critical security flaw has been revealed in the miniOrange social login and registration plugin for WordPress, which could allow an attacker to log in as any user, as long as the email address details are known. Known as CVE-2023-2982 and with a CVSS score of 9.8, the authentication bypass flaw affects all versions of the plugin up to and including 7.6.4. The fix was released on June 14, 2023, with version 7.6.5, following a responsible report on June 2, 2023.

Details of the vulnerability

According to Wordfence researcher István Márton, the vulnerability allows an unauthenticated attacker to gain access to any account on a site, including those used to administer it, if the attacker knows or can find the associated email address. The problem is that the encryption key used to protect information when logged in via social media accounts is hard coded. This creates a scenario where attackers could create a valid request with a properly encrypted email address used to identify the user.

Potential Impact of the Vulnerability

If the account belongs to the WordPress site administrator, this could lead to a complete compromise. The plugin is used on over 30,000 sites, making the potential impact of this security flaw significant.

Other security issues detected

This alert follows the discovery of a high-severity flaw affecting the WordPress LearnDash LMS plugin, a plugin with over 100,000 active installs, that could allow any user with an existing account to reset user passwords at will, including those with administrator access. The bug (CVE-2023-3105, CVSS score: 8.8) was fixed in version 4.6.0.1 released on June 6, 2023. Also, a few weeks ago, Patchstack detailed a cross-site request forgery (CSRF) vulnerability in the plugin UpdraftPlus (CVE-2023-32960, CVSS score: 7.1) which could allow an unauthenticated attacker to steal sensitive data and escalate privileges by tricking an admin user into visiting a specially crafted WordPress URL.