WordPress Plugin Vulnerabilities

BP Social Connect < 1.6.2 - Authentication Bypass

Description

The plugin does not properly verify the user through its Facebook login, which could allow attackers to login as any user knowing their email address

Affects Plugins

Plugin icon
bp-social-connect
Fixed in 1.6.2

References

CVE
CVE-2023-2704

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
677d5f08-5f39-4627-b15f-c4b113eff520

Timeline

Publicly Published
2023-05-18 (about 2 years ago)
Added
2023-05-19 (about 2 years ago)
Last Updated
2023-05-19 (about 2 years ago)

Other

Published
Title
Published
2025-12-26
Title
Mobile builder <= 1.4.2 - Authentication Bypass
Published
2020-03-26
Title
IMPress for IDX Broker < 2.6.2 - Authenticated Post Creation, Modification, and Deletion
Published
2015-03-21
Title
WP Marketplace <= 2.4.0 - Arbitrary File Download
Published
2024-12-11
Title
Sign In With Google <= 1.8.0 - Authentication Bypass in authenticate_user
Published
2025-07-03
Title
WP Compress < 6.30.31 - Unauthenticated Broken Authentication