June 29, 2023

A critical security flaw has been discovered in the WordPress “MiniOrange Social Login and Register” plugin.

Successful exploitation may allow unauthenticated threat actor to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address.

The Vulnerability

• CVE-2023-2982 (CVSS 3.1: 9.8, Critical) – Authentication bypass vulnerability caused by insufficient encryption on the user being supplied during a login validated through the plugin.

Affected Versions

• WordPress “MiniOrange Social Login and Register” plugin – versions prior and include 7.6.4.

Mitigation

CYREBRO recommends updating to the latest plugin version – 7.6.5 as soon as possible.

References: WordDfence Advisory