Wp Social Login and Register Social Counter < 3.0.1 – Missing Authorization to Unauthenticated Social Login/Share Status Update | CVE 2024-1763 | Plugin Vulnerabilities

Description

The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp_social/v1/ REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to enable and disable certain providers for the social share and login features.

Affects Plugins

Fixed in 3.0.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4f145c85-f3c6-46a7-b8ae-d486dd23087d

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Verified

No

WPVDB ID

169bb355-8eef-4785-8c3c-1b8d54e7e61a

Timeline

Publicly Published

2024-02-29 (about 2 years ago)

Added

2024-02-29 (about 2 years ago)

Last Updated

2024-02-29 (about 2 years ago)

Other

Published

Title

Published

2024-12-11

Title

Firebase OTP Authentication <= 1.0.1 - Missing Authorization to Privilege Escalation

Published

2022-02-28

Title

Unauthorised AJAX Calls via Freemius

Published

2025-03-27

Title

Tickera < 3.5.5.3 - Missing Authorization

Published

2025-11-10

Title

Find Unused Images <= 1.0.7 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion

Published

2025-09-05

Title

Product Carousel Slider for Elementor <= 2.1.3 - Missing Authorization