cbcvebase.
CVE-2023-2982
published 2023-06-29

CVE-2023-2982: The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
46.95%
98.7th percentile
The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5.

Affected

1 ranges
VendorProductVersion rangeFixed in
miniorangewordpress_social_login_and_register< 7.6.57.6.5

Detection & IOCsextracted from sources · hover to see the quote

urlPOST / HTTP/1.1 with option=moopenid&email=uzmpvjPBmwEO3tFXq0vlJg%3D%3D&appName=rlHeqZw2vrPzOiWWfCParA%3D%3D
path/wp-content/plugins/miniorange-login-openid/trunk/mo-openid-social-login-functions.php#L107
  • Detect exploit attempts by monitoring POST requests to WordPress root (/) with the body parameter `option=moopenid`, which is the trigger for the authentication bypass in the Miniorange Social Login plugin.
  • A successful exploitation results in an HTTP 302 redirect response AND the presence of `wordpress_sec_` or `wordpress_logged_in_` cookies being set — monitor for this combination following a POST with `option=moopenid`.
  • The exploit payload uses Base64-encoded (encrypted) values for the `email` and `appName` POST parameters. Look for URL-encoded Base64 strings (e.g., `%3D%3D` padding) in these fields as a signature of exploitation attempts.
  • The vulnerability exists in the plugin file `mo-openid-social-login-functions.php` at line 107. Audit or monitor file integrity of this path in WordPress installations running miniorange-login-openid plugin versions <= 7.6.4.
  • The vulnerability allows unauthenticated attackers to log in as any existing user (including administrators) if they know the target's email address. Monitor for unexpected admin-level session creation without prior authentication flow.
  • ·The vulnerability was only partially patched in version 7.6.4 and fully patched in version 7.6.5. Detection rules targeting version checks must account for both 7.6.3 and 7.6.4 as vulnerable.
  • ·The Nuclei template targets the WordPress root path (`/`) with `Content-Type: application/x-www-form-urlencoded`. Detection must be scoped to WordPress sites with the miniorange-login-openid plugin installed, as the `option=moopenid` parameter is plugin-specific.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.