Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Unauthenticated network CSRF (PR:N) requiring victim interaction (UI:R); High C/I reflect account/config manipulation, no availability impact, scope unchanged.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Request Forgery (CSRF) in Heateor Social Login <= 1.1.39 versions.
AnalysisAI
Cross-Site Request Forgery in the Heateor Social Login WordPress plugin (versions up to and including 1.1.39) lets an unauthenticated remote attacker forge state-changing requests that are executed with a logged-in victim's privileges once the victim is lured into interacting with a malicious page. The CVSS 3.1 score is 8.1 with High confidentiality and integrity impact, reflecting potential account or configuration manipulation, though exploitation is gated on user interaction (UI:R). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a victim who is already authenticated to the target WordPress site (ideally an administrator or a user whose session can perform the impacted action) to be tricked into interacting with attacker-controlled content while that session is active - this UI:R requirement is the key limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N describes a network-reachable, low-complexity, unauthenticated attack that nonetheless requires user interaction (UI:R), which is the primary limiting factor - the attacker must convince a logged-in user (ideally an administrator) to visit a crafted page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a web page containing a hidden auto-submitting form or image that targets a vulnerable state-changing endpoint of the Heateor Social Login plugin, then lures a logged-in WordPress administrator to visit it (for example via a phishing link). The victim's browser automatically submits the forged request with valid session cookies, and the server performs the attacker-chosen action - such as altering plugin/account settings or linking an attacker-controlled identity. … |
| Remediation | No vendor-released patch version was identified in the provided data, so update to the latest available release of Heateor Social Login (any version newer than 1.1.39) as soon as one is published and confirmed via the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/heateor-social-login/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress installations using Heateor Social Login plugin (versions 1.1.39 and earlier) and disable it immediately. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41307
GHSA-g8qg-f769-3pm2