CVE-2024-11087

High CVSS: 8.1

The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 200.3.9. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token.

Vendor

Miniorange

Product

Social Login

CWE

CWE-287

Yayın Tarihi

2025-03-08 07:15:09

Güncelleme

2025-03-13 13:09:46

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-287 Social Login HIGH Miniorange 2025

Referanslar

https://www.miniorange.com/ https://www.wordfence.com/threat-intel/vulnerabilities/id/f677b257-606a-45f2-ba85-3a56b8df2a3c?source=cve

Benzer Kayıtlar

Medium

CVE-2026-3217

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal SAML SSO -…

Medium

CVE-2025-6675

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows…

High

CVE-2025-47708

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Cross Site Request Forg…

Medium

CVE-2025-47709

Missing Authorization vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Forceful Browsing.This issue affect…

High

CVE-2025-47710

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows…

Medium

CVE-2025-47706

Authentication Bypass by Capture-replay vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Remote Services w…