June 29, 2023
A critical security flaw has been discovered in the WordPress “MiniOrange Social Login and Register” plugin.
Successful exploitation may allow unauthenticated threat actor to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address.
- CVE-2023-2982 (CVSS 3.1: 9.8, Critical) – Authentication bypass vulnerability caused by insufficient encryption on the user being supplied during a login validated through the plugin.
- WordPress “MiniOrange Social Login and Register” plugin – versions prior and include 7.6.4.
CYREBRO recommends updating to the latest plugin version – 7.6.5 as soon as possible.
References: WordDfence Advisory