WordPress Plugin Vulnerabilities

Loginizer Security and Loginizer < 1.9.3 - Authentication Bypass

Description

The plugins are vulnerable to authentication bypass due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they known the email address and the user does not have an already-existing account for the service returning the token.

Affects Plugins

Plugin icon
loginizer
Fixed in 1.9.3
Plugin icon
loginizer-security
Fixed in 1.9.3

References

CVE
CVE-2024-10097
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5db00b22-d766-4fde-86fe-98d90936028c

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
8.1 (high)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
e328ff3a-532e-4898-a719-bd09f27deeb2

Timeline

Publicly Published
2024-11-04 (about 1 year ago)
Added
2024-11-05 (about 1 year ago)
Last Updated
2024-11-05 (about 1 year ago)

Other

Published
Title
Published
2008-01-15
Title
Spambam <= 2.1 - Authorisation Bypass
Published
2026-02-14
Title
Spam protection, Honeypot, Anti-Spam by CleanTalk < 6.72 - Unauthenticated Arbitrary Plugin Installation
Published
2025-12-04
Title
Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification < 2.0.45 - Authentication Bypass to Account Takeover
Published
2025-11-18
Title
YITH WooCommerce Wishlist < 4.10.1 - Wishlist Item Deletion via Wishlist Token Disclosure
Published
2015-03-09
Title
MainWP Child <= 2.0.9.1 - Authentication Bypass