Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Remote unauthenticated (AV:N/PR:N/UI:N); offline OTP crack in under a second keeps AC:L; admin takeover yields full C:H/I:H/A:H with unchanged scope.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Completion flow accepting an arbitrary email address via the 'email_field' POST parameter without verifying that the email belongs to the identity returned by the OAuth provider, combined with send_otp_token() returning the SHA-512(customer_key || otp) transaction hash to the client where the OTP space is only 99,000 values (wp_rand(1000, 99999)) and the customer_key is a static option (empty on unregistered installs). This makes it possible for unauthenticated attackers to trigger an OTP email to an arbitrary admin's address, crack the OTP offline from the leaked hash in under a second, and submit the cracked OTP to mo_openid_social_login_validate_otp(), which logs the attacker in as the user whose email was supplied - granting full administrator access.
Articles & Coverage 1
AnalysisAI
Authentication bypass in the miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) WordPress plugin through version 7.7.0 lets unauthenticated attackers seize any account, including administrators. The Profile Completion flow trusts an attacker-supplied 'email_field' POST value without confirming it matches the OAuth provider's verified identity, and the send_otp_token() routine leaks a SHA-512(customer_key||otp) hash to the client where the OTP is one of only 99,000 values and customer_key is a static (often empty) option - so the OTP can be brute-forced offline in under a second. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The plugin must be installed and active with its social-login / Profile Completion flow reachable, and the attack targets accounts on installs where the plugin's customer_key option is static or empty (empty on installations never registered with miniOrange, which maximizes crackability). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All independent signals point to genuine high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker initiates the plugin's social-login Profile Completion flow and submits 'email_field' set to a known administrator address on the target site. The server emails an OTP to that admin and, in the same response, returns the SHA-512(customer_key||otp) transaction hash; the attacker brute-forces the ~99,000-value OTP offline in under a second (customer_key is static or empty), then submits the recovered OTP to mo_openid_social_login_validate_otp() and is logged in as the administrator. … |
| Remediation | Upstream fix available (changeset 3592642); a released patched version above 7.7.0 is referenced by the vendor's SVN commit but the exact tagged release is not independently confirmed in the provided data - update the plugin to the latest available version from the WordPress.org repository and verify it is newer than 7.7.0, consulting the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/a56b59ce-29c2-4172-b703-a06d7bb28da0) and the changeset (https://plugins.trac.wordpress.org/changeset/3592642/) for the fixed version number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all WordPress installations running miniOrange Social Login plugin version 7.7.0 or earlier; disable the plugin immediately as containment; monitor administrative accounts for suspicious login attempts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43026
GHSA-6rhq-rx45-fhhp