WordPress Social Login Exposes User Accounts

by Alberto Matus

The National Vulnerability Database has tracked CVE-2023-2982 (CVSS score: 9.8) which is a critical vulnerability in WordPress Social Login and Register plugin. This security flaw enables malicious actors to bypass authentication and log in to WordPress sites as valid users once the email address is known. According to WordFence, this includes administrator accounts that are used to manage the WordPress sites that are using this plugin. Gaining access to an administrator account for any such website could result in disastrous scenarios.

Based on the information provided by WordFence, this security flaw impacts all versions of the plugin prior to 7.6.4. It is a very popular plugin that is used on almost 30,000 websites. Users of this plugin are urged to install updates to address this issue. The vulnerability has been addressed in version 7.6.5 of the plugin.

How Does It Happen?

Based on WordFence‘s analysis of the plugin’s code, there is encrypted data being sent during the login process which must be decrypted by a secret key during the request. While this is a typical approach, the vulnerability lies in the fact that the encryption key was actually hardcoded into the code of the plugin. This means that the key was not unique to your own installation, but shared across all those using the plugin worldwide.

WordFence Timeline of Vulnerability Discovery

May 28, 2023 – Discovery of the Authentication Bypass vulnerability in WordPress Social Login and Register.
May 30, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
June 2, 2023 – The vendor confirms the inbox for handling the discussion.
June 2, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
June 2, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. Please note we delayed the firewall rule to prevent completely breaking the plugin’s core functionality.
June 14, 2023 – A fully patched version of the plugin, 7.6.5, is released.
July 2, 2023 – Wordfence Free users receive the same protection.

You may also like

Leave a Comment

Update Required Flash plugin