Miniorange Social Login And Register Discord Google Twitter Linkedin
Monthly
Authentication bypass in the miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) WordPress plugin through version 7.7.0 lets unauthenticated attackers seize any account, including administrators. The Profile Completion flow trusts an attacker-supplied 'email_field' POST value without confirming it matches the OAuth provider's verified identity, and the send_otp_token() routine leaks a SHA-512(customer_key||otp) hash to the client where the OTP is one of only 99,000 values and customer_key is a static (often empty) option - so the OTP can be brute-forced offline in under a second. Rated CVSS 9.8; no public exploit identified at time of analysis, but the full attack primitive is described in the Wordfence advisory.
Authentication bypass in the miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) WordPress plugin through version 7.7.0 lets unauthenticated attackers seize any account, including administrators. The Profile Completion flow trusts an attacker-supplied 'email_field' POST value without confirming it matches the OAuth provider's verified identity, and the send_otp_token() routine leaks a SHA-512(customer_key||otp) hash to the client where the OTP is one of only 99,000 values and customer_key is a static (often empty) option - so the OTP can be brute-forced offline in under a second. Rated CVSS 9.8; no public exploit identified at time of analysis, but the full attack primitive is described in the Wordfence advisory.