WordPress Plugin Vulnerabilities

Social Login < 5.10.0 - Authentication Bypass

Description

The plugin is vulnerable to authentication bypass due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.

Affects Plugins

Plugin icon
oa-social-login
Fixed in 5.10.0

References

CVE
CVE-2024-10961
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/43a64074-ca64-4c34-b467-06d1ad8c5aa0

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
4319cab8-e00f-437c-a514-a54775244b9f

Timeline

Publicly Published
2024-11-22 (about 1 year ago)
Added
2024-12-02 (about 1 year ago)
Last Updated
2024-12-06 (about 1 year ago)

Other

Published
Title
Published
2019-03-17
Title
Easy WP SMTP <= 1.3.9 - Unauthenticated Arbitrary wp_options Import
Published
2024-10-25
Title
1-Click Login: Passwordless Authentication 1.4.5 - Authentication Bypass
Published
2026-03-12
Title
RegistrationMagic < 6.0.7.2 - Authentication Bypass
Published
2025-12-09
Title
Elated Membership < 1.3 - Authentication Bypass via Social Login
Published
2014-08-01
Title
Delightful Downloads 1.3.1.1 - meta-boxes.php dedo_meta_boxes_save Function Multiple Action Authorization Bypass