Skip to main content

Heateor Social Login CVE-2026-57751

| EUVDEUVD-2026-41307 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-02 Patchstack GHSA-g8qg-f769-3pm2
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Unauthenticated network CSRF (PR:N) requiring victim interaction (UI:R); High C/I reflect account/config manipulation, no availability impact, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:24 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Request Forgery (CSRF) in Heateor Social Login <= 1.1.39 versions.

AnalysisAI

Cross-Site Request Forgery in the Heateor Social Login WordPress plugin (versions up to and including 1.1.39) lets an unauthenticated remote attacker forge state-changing requests that are executed with a logged-in victim's privileges once the victim is lured into interacting with a malicious page. The CVSS 3.1 score is 8.1 with High confidentiality and integrity impact, reflecting potential account or configuration manipulation, though exploitation is gated on user interaction (UI:R). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host malicious CSRF page
Delivery
Lure authenticated WordPress user to visit
Exploit
Browser auto-submits forged request with session cookies
Execution
Plugin executes unauthorized state change
Impact
Account or configuration compromised

Vulnerability AssessmentAI

Exploitation Exploitation requires a victim who is already authenticated to the target WordPress site (ideally an administrator or a user whose session can perform the impacted action) to be tricked into interacting with attacker-controlled content while that session is active - this UI:R requirement is the key limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N describes a network-reachable, low-complexity, unauthenticated attack that nonetheless requires user interaction (UI:R), which is the primary limiting factor - the attacker must convince a logged-in user (ideally an administrator) to visit a crafted page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a web page containing a hidden auto-submitting form or image that targets a vulnerable state-changing endpoint of the Heateor Social Login plugin, then lures a logged-in WordPress administrator to visit it (for example via a phishing link). The victim's browser automatically submits the forged request with valid session cookies, and the server performs the attacker-chosen action - such as altering plugin/account settings or linking an attacker-controlled identity. …
Remediation No vendor-released patch version was identified in the provided data, so update to the latest available release of Heateor Social Login (any version newer than 1.1.39) as soon as one is published and confirmed via the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/heateor-social-login/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress installations using Heateor Social Login plugin (versions 1.1.39 and earlier) and disable it immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57751 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy