Skip to main content

miniOrange Social Login CVE-2026-12761

| EUVDEUVD-2026-43026 CRITICAL
Improper Authentication (CWE-287)
2026-07-10 Wordfence GHSA-6rhq-rx45-fhhp
9.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Remote unauthenticated (AV:N/PR:N/UI:N); offline OTP crack in under a second keeps AC:L; admin takeover yields full C:H/I:H/A:H with unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 21:29 vuln.today
CVE Published
Jul 10, 2026 - 20:31 nvd
CRITICAL 9.8

DescriptionCVE.org

The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Completion flow accepting an arbitrary email address via the 'email_field' POST parameter without verifying that the email belongs to the identity returned by the OAuth provider, combined with send_otp_token() returning the SHA-512(customer_key || otp) transaction hash to the client where the OTP space is only 99,000 values (wp_rand(1000, 99999)) and the customer_key is a static option (empty on unregistered installs). This makes it possible for unauthenticated attackers to trigger an OTP email to an arbitrary admin's address, crack the OTP offline from the leaked hash in under a second, and submit the cracked OTP to mo_openid_social_login_validate_otp(), which logs the attacker in as the user whose email was supplied - granting full administrator access.

AnalysisAI

Authentication bypass in the miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) WordPress plugin through version 7.7.0 lets unauthenticated attackers seize any account, including administrators. The Profile Completion flow trusts an attacker-supplied 'email_field' POST value without confirming it matches the OAuth provider's verified identity, and the send_otp_token() routine leaks a SHA-512(customer_key||otp) hash to the client where the OTP is one of only 99,000 values and customer_key is a static (often empty) option - so the OTP can be brute-forced offline in under a second. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify target admin email
Delivery
POST arbitrary email_field to Profile Completion OTP endpoint
Exploit
Server leaks SHA-512(customer_key||otp) hash
Install
Brute-force 99,000-value OTP offline in <1s
C2
Submit cracked OTP to validate_otp
Execute
Authenticated as administrator
Impact
Full site compromise

Vulnerability AssessmentAI

Exploitation The plugin must be installed and active with its social-login / Profile Completion flow reachable, and the attack targets accounts on installs where the plugin's customer_key option is static or empty (empty on installations never registered with miniOrange, which maximizes crackability). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All independent signals point to genuine high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker initiates the plugin's social-login Profile Completion flow and submits 'email_field' set to a known administrator address on the target site. The server emails an OTP to that admin and, in the same response, returns the SHA-512(customer_key||otp) transaction hash; the attacker brute-forces the ~99,000-value OTP offline in under a second (customer_key is static or empty), then submits the recovered OTP to mo_openid_social_login_validate_otp() and is logged in as the administrator. …
Remediation Upstream fix available (changeset 3592642); a released patched version above 7.7.0 is referenced by the vendor's SVN commit but the exact tagged release is not independently confirmed in the provided data - update the plugin to the latest available version from the WordPress.org repository and verify it is newer than 7.7.0, consulting the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/a56b59ce-29c2-4172-b703-a06d7bb28da0) and the changeset (https://plugins.trac.wordpress.org/changeset/3592642/) for the fixed version number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all WordPress installations running miniOrange Social Login plugin version 7.7.0 or earlier; disable the plugin immediately as containment; monitor administrative accounts for suspicious login attempts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12761 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy