WordPress Plugin Vulnerabilities

miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon < 200.3.10 - Authentication Bypass

Description

The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 200.3.9. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token.

Affects Plugins

Plugin icon
miniorange-login-openid
Fixed in 200.3.10

References

CVE
CVE-2024-11087
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f677b257-606a-45f2-ba85-3a56b8df2a3c

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
8.1 (high)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
8931cc88-c212-4905-abc0-4b8faaa37a01

Timeline

Publicly Published
2025-03-07 (about 1 year ago)
Added
2025-03-11 (about 1 year ago)
Last Updated
2025-03-31 (about 1 year ago)

Other

Published
Title
Published
2024-10-25
Title
Stacks Mobile App Builder <= 5.2.3 - Authentication Bypass
Published
2025-11-04
Title
KiotViet Sync <= 1.8.5 - Authorization Bypass via Use of Hard-coded Password
Published
2026-01-15
Title
Workreap Core <= 3.4.0 - Authentication Bypass
Published
2022-04-21
Title
WPQA < 5.2 - Subscriber+ Arbitrary Profile Picture Deletion via IDOR
Published
2025-11-21
Title
Construction Light < 1.6.8 - Subscriber+ Arbitrary Plugin Activation