A critical security flaw in the miniOrange Social Login and Register plugin for WordPress could allow an attacker to log in as any user, even if they do not know the password.
The flaw, which has been assigned the identifier CVE-2023-2982, affects all versions of the plugin up to and including 7.6.4. It was patched in version 7.6.5, which was released on June 14, 2023.
The vulnerability is caused by a hard-coded encryption key that is used to secure the information during login using social media accounts. This means that an attacker could create a valid request with a properly encrypted email address, which would allow them to log in as the user associated with that email address.
The flaw is particularly dangerous because it could allow an attacker to gain access to the account of the WordPress site administrator. This could give the attacker complete control over the site, including the ability to change content, delete files, and even install malware.
The miniOrange Social Login and Register plugin is used on more than 30,000 sites. WordPress users who have installed the plugin should update to version 7.6.5 as soon as possible to protect themselves from this vulnerability.
Here are some tips for staying safe from security vulnerabilities:
- Keep your software up to date.
- Use strong passwords and two-factor authentication.
- Be careful about what information you share online.
- Be aware of the latest security threats.
By following these tips, you can help to protect your WordPress site from security vulnerabilities.