WordPress Plugin Vulnerabilities

ZM Ajax Login & Register <= 2.0.2 - Unauthenticated Authentication Bypass

Description

The plugin does not validate that users are allowed to login through the Facebook feature, allowing unauthenticated to be authenticate as any user (such as admin) by simply knowing the username

Affects Plugins

Plugin icon
zm-ajax-login-register
No known fix

References

CVE
CVE-2023-2027

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
4efb637f-7392-4cc8-b4da-9ad7e67933a1

Timeline

Publicly Published
2023-04-14 (about 3 years ago)
Added
2023-04-15 (about 3 years ago)
Last Updated
2023-04-15 (about 3 years ago)

Other

Published
Title
Published
2025-08-01
Title
Brave Conversion Engine (PRO) < 0.8.0 - Authentication Bypass
Published
2023-06-20
Title
BookIt < 2.3.8 - Authentication Bypass
Published
2024-09-30
Title
Wechat Social login <= 1.3.0 - Authentication Bypass
Published
2024-11-08
Title
CE21 Suite < 2.2.1 - Authentication Bypass
Published
2022-02-22
Title
RW Divi Unite Gallery <= 1.0 - Security Bypass via Outdated Freemius