Skip to main content

Directorist Social Login CVE-2026-22337

| EUVDEUVD-2026-25814 CRITICAL
Incorrect Privilege Assignment (CWE-266)
2026-04-27 Patchstack
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
Apr 27, 2026 - 18:52 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 18:37 nvd
Patch available
Patch available
Apr 27, 2026 - 12:01 EUVD
Analysis Generated
Apr 27, 2026 - 11:30 vuln.today
EUVD ID Assigned
Apr 27, 2026 - 11:00 euvd
EUVD-2026-25814
Analysis Generated
Apr 27, 2026 - 11:00 vuln.today
CVE Published
Apr 27, 2026 - 10:31 nvd
CRITICAL 9.8

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in Directorist Directorist Social Login allows Privilege Escalation.This issue affects Directorist Social Login: from n/a before 2.1.4.

AnalysisAI

Remote unauthenticated attackers can escalate privileges to administrator level in Directorist Social Login WordPress plugin versions prior to 2.1.4 through incorrect privilege assignment during social authentication flows. Exploitation requires no authentication or user interaction, enabling complete site takeover via social login mechanisms. CVSS 9.8 (Critical) reflects network-based attack vector with no complexity barriers. No public exploit code or CISA KEV listing identified at time of analysis, but Patchstack reporting suggests vulnerability may be under researcher scrutiny.

Technical ContextAI

Directorist Social Login is a WordPress plugin (CPE: cpe:2.3:a:directorist:directorist_social_login) that integrates third-party social authentication providers (Google, Facebook, Twitter, etc.) for user registration and login. The vulnerability stems from CWE-266 (Incorrect Privilege Assignment), a class of flaws where applications fail to properly validate or restrict privilege levels during authentication or authorization operations. In WordPress context, this typically manifests when social login callbacks incorrectly assign user roles - such as granting 'administrator' instead of 'subscriber' - due to missing validation of OAuth response data, insufficient role mapping logic, or failure to sanitize user metadata from social providers. The CVSS:3.1 vector AV:N/AC:L/PR:N/UI:N indicates the flaw is exploitable remotely without requiring existing credentials or victim interaction, suggesting the privilege escalation occurs during the initial social login account creation or linking process rather than requiring an existing authenticated session.

RemediationAI

Upgrade Directorist Social Login plugin to version 2.1.4 or later immediately via WordPress admin dashboard (Plugins → Installed Plugins → Update) or manual installation from WordPress.org repository. Vendor-released patch in version 2.1.4 addresses incorrect privilege assignment during social authentication flows. Post-upgrade, audit existing user accounts created via social login for unauthorized administrator-level accounts: review Users → All Users for recently created admin accounts without legitimate business justification, and demote or delete suspicious accounts. If immediate patching is not feasible, disable all social login functionality as compensating control: deactivate Directorist Social Login plugin entirely or disable specific OAuth providers in plugin settings (Directorist → Settings → Social Login) - this prevents exploitation but breaks legitimate social login workflows for end users. For high-risk environments, consider temporarily restricting wp-login.php and wp-admin access to trusted IP addresses via web server rules until patch deployment is complete. Review web server access logs for anomalous social login callback requests (wp-admin/admin-ajax.php or plugin-specific OAuth endpoints) in the 30 days prior to patching to identify potential compromise. No workaround maintains social login functionality while mitigating the vulnerability - upgrade is the only complete remediation.

Share

CVE-2026-22337 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy