A significant security vulnerability has been identified in the miniOrange Social Login and Register plugin for WordPress, potentially allowing malicious parties to gain unauthorized access to user accounts based on pre-known email addresses.
This vulnerability, documented as CVE-2023-2982 and assigned an alarmingly high CVSS score of 9.8, impacts all iterations of the plugin up to and including version 7.6.4. The issue was officially addressed with the release of version 7.6.5 on June 14, 2023, following responsible disclosure prior to that date on June 2, 2023.
Researcher István Márton from Wordfence highlighted that “the vulnerability enables an unauthenticated attacker to access any account on a site, including those with administrative privileges, provided they know or can ascertain the email address associated with the account.” This issue stems from the hard-coded encryption key utilized to secure login information during social media logins, which can be exploited to forge valid requests, leading to the potential compromise of administrator accounts.
The ramifications of this vulnerability are particularly severe, given that it affects over 30,000 WordPress installations. Should an attacker exploit this flaw against a site administrator’s account, they could achieve complete control over the site.
This disclosure follows closely on the heels of another high-severity vulnerability affecting the LearnDash LMS plugin, which has over 100,000 active installations. Named CVE-2023-3105 and rated with a CVSS score of 8.8, it allows any user with an established account to reset the passwords of arbitrary users, including those with administrative access. This vulnerability was patched in version 4.6.0.1, released on June 6, 2023.
Moreover, recent weeks have seen discussions surrounding a cross-site request forgery (CSRF) vulnerability in the UpdraftPlus plugin (CVE-2023-32960, CVSS score: 7.1), which could facilitate sensitive data theft and privilege escalation through spear-phishing techniques to lure users into visiting a malicious WordPress URL.
In examining these vulnerabilities, one can reference the MITRE ATT&CK framework to assess the tactics that may have been employed by adversaries. Techniques related to initial access (such as social engineering), privilege escalation (gaining unauthorized access), and persistence are central to these incidents. Understanding these tactics is crucial for organizations looking to bolster their defenses against such threats.
