WordPress plugin vulnerability puts user accounts at risk

More than 30,000 WordPress sites using miniOrange's Social Login and Register plugin could have their user accounts exposed with the exploitation of a critical authentication bypass vulnerability, tracked as CVE-2023-2982, according to The Hacker News. The flaw, which stems from a hardcoded encryption key for securing data from social media-based logins, "makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address," said Wordfence researcher Istvan Marton. Patches for the flaw, which impacts all plugin versions, have been released on June 14. Such a flaw has been reported following the emergence of other WordPress plugin flaws, including a high-severity bug in the LearnDash LMS plugin, tracked as CVE-2023-3105, as well as the discovery of a cross-site request forgery bug in the UpdraftPlus plugin, tracked as CVE-2023-32960. Both flaws have already been addressed.