WordPress Plugin Vulnerabilities

Pie Register < 3.1.7.6 - Unauthenticated Arbitrary Login

Description

The plugin has a flaw in the social login implementation, allowing unauthenticated attacker to login as any user on the site by only knowing their user ID or username

Proof of Concept

Affects Plugins

Plugin icon
pie-register
Fixed in 3.1.7.6

References

CVE
CVE-2021-24647

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
AyeCode Ltd
Submitter
Stiofan
Submitter website
https://ayecode.io/
Submitter twitter
_stiofan
Verified
Yes
WPVDB ID
40d347b1-b86e-477d-b4c6-da105935ce37

Timeline

Publicly Published
2021-10-11 (about 4 years ago)
Added
2021-10-11 (about 4 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2014-08-01
Title
Editorial Calendar 2.6 - Permission Verification Arbitrary Calendar Post Deletion
Published
2016-12-23
Title
BuddyPress 2.0-2.7.3 - Arbitrary File Deletion
Published
2024-11-27
Title
Contest Gallery < 24.0.8 - Unauthenticated Arbitrary Password Reset
Published
2025-12-04
Title
Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification <= 2.0.39 - Authentication Bypass to Account Takeover
Published
2024-09-03
Title
PixelYourSite – Your smart PIXEL (TAG) & API Manager <= 9.7.1 and PixelYourSite PRO <= 10.4.2 - Unauthenticated Information Exposure and Log Deletion