Refine your search
2 vulnerabilities found for miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) by cyberlord92
CVE-2024-11087 (GCVE-0-2024-11087)
Vulnerability from cvelistv5
Published
2025-03-08 07:04
Modified
2026-04-08 17:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 200.3.9. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) |
Version: 0 ≤ 200.3.9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T16:59:55.579223Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T16:08:20.531Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "200.3.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 200.3.9. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:33:34.157Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f677b257-606a-45f2-ba85-3a56b8df2a3c?source=cve"
},
{
"url": "https://www.miniorange.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-07T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon \u003c= 200.3.9 - Authentication Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11087",
"datePublished": "2025-03-08T07:04:55.340Z",
"dateReserved": "2024-11-11T19:15:13.435Z",
"dateUpdated": "2026-04-08T17:33:34.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-2982 (GCVE-0-2023-2982)
Vulnerability from cvelistv5
Published
2023-06-29 01:56
Modified
2026-04-08 16:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Summary
The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) |
Version: 0 ≤ 7.6.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:03.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08ca186a-2486-4a58-9c53-03e9eba13e66?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/miniorange-login-openid/trunk/mo-openid-social-login-functions.php#L107"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2925914/miniorange-login-openid"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2924863/miniorange-login-openid"
},
{
"tags": [
"x_transferred"
],
"url": "https://lana.codes/lanavdb/2326f41f-a39f-4fde-8627-9d29fff91443/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2982",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T16:18:20.310071Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T16:18:29.073Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "7.6.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:34:20.273Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08ca186a-2486-4a58-9c53-03e9eba13e66?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/miniorange-login-openid/trunk/mo-openid-social-login-functions.php#L107"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2925914/miniorange-login-openid"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2924863/miniorange-login-openid"
},
{
"url": "https://lana.codes/lanavdb/2326f41f-a39f-4fde-8627-9d29fff91443/"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-28T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-05-30T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-06-28T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) \u003c= 7.6.4 - Authentication Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-2982",
"datePublished": "2023-06-29T01:56:56.207Z",
"dateReserved": "2023-05-30T13:38:43.774Z",
"dateUpdated": "2026-04-08T16:34:20.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}