On May 28, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in miniOrange’s WordPress Social Login and Register plugin, which is actively installed on more than 30,000 WordPress websites. The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 2, 2023. Sites still using the free version of Wordfence will receive the same protection on July 2, 2023.
We contacted miniOrange on May 30, 2023, and received a response on June 2, 2023. After we provided full disclosure details, the developer released the first patch, which still contained a vulnerability, in version 7.6.4 on June 12, 2023. A fully patched version, 7.6.5, was released on June 14, 2023.
We urge users to ensure their sites have been updated with the latest patched version of WordPress Social Login and Register, which is version 7.6.5 at the time of this writing, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Affected Plugin: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)
Plugin Slug: woocommerce-abandoned-cart
Affected Versions: <= 7.6.4
CVE ID: CVE-2023-2982
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Lana Codes
Fully Patched Version: 7.6.5
The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5.
Technical Analysis
The WordPress Social Login and Register plugin, according to its settings, provides the ability for users to login to a WordPress website using a social login through various popular social media platforms and service providers. Examining the code reveals that there is a case with custom apps, where the data is sent encrypted during the login process. The data required for login must be decrypted using the secret key at the request.
function mo_openid_process_social_login() { if ( is_user_logged_in() ) { return; } // Decrypt all entries $decrypted_user_name = isset( $_POST['username'] ) ? sanitize_text_field( mo_openid_decrypt_sanitize( $_POST['username'] ) ) : ''; // phpcs:ignore $decrypted_user_name = str_replace( ' ', '-', $decrypted_user_name ); $decrypted_user_name = sanitize_text_field( $decrypted_user_name, true ); $decrypted_email = isset( $_POST['email'] ) ? sanitize_text_field( mo_openid_decrypt_sanitize( $_POST['email'] ) ) : ''; // phpcs:ignore if ( $decrypted_user_name == null ) { $name_em = explode( '@', $decrypted_email ); $decrypted_user_name = isset( $name_em[0] ) ? $name_em[0] : ''; } $decrypted_first_name = isset( $_POST['firstName'] ) ? sanitize_text_field( mo_openid_decrypt_sanitize( $_POST['firstName'] ) ) : ''; //phpcs:ignore if ( $decrypted_first_name == null ) { $name_em = explode( '@', $decrypted_email ); $decrypted_first_name = isset( $name_em[0] ) ? $name_em[0] : ''; } $decrypted_app_name = isset( $_POST['appName'] ) ? sanitize_text_field( mo_openid_decrypt_sanitize( $_POST['appName'] ) ) : ''; //phpcs:ignore $decrypted_app_name = strtolower( $decrypted_app_name ); $split_app_name = explode( '_', $decrypted_app_name ); // check to ensure login starts at the click of social login button if ( empty( $split_app_name[0] ) ) { wp_die( esc_attr( get_option( 'mo_manual_login_error_message' ) ) ); } else { $decrypted_app_name = strtolower( $split_app_name[0] ); } $appuserdetails = array( 'first_name' => $decrypted_first_name, 'last_name' => isset( $_POST['lastName'] ) ? sanitize_text_field( mo_openid_decrypt_sanitize( $_POST['lastName'] ) ) : '', //phpcs:ignore 'email' => $decrypted_email, 'user_name' => $decrypted_user_name, 'user_url' => isset( $_POST['profileUrl'] ) ? sanitize_text_field( mo_openid_decrypt_sanitize( $_POST['profileUrl'] ) ) : '', //phpcs:ignore 'user_picture' => isset( $_POST['profilePic'] ) ? sanitize_text_field( mo_openid_decrypt_sanitize($_POST['profilePic'] ) ) : '', //phpcs:ignore 'social_user_id' => isset( $_POST['userid'] ) ? sanitize_text_field( mo_openid_decrypt_sanitize( $_POST['userid'] ) ) : '', //phpcs:ignore ); mo_openid_process_user_details( $appuserdetails, $decrypted_app_name ); }
While encrypting this information would normally provide protection against manipulating the request and prevent identity spoofing, we unfortunately found that the encryption key is hardcoded in vulnerable versions of the plugin, which means that threat actors also had access to the key which was not unique per WordPress installation. This makes it possible for attackers to craft a valid request containing a properly encrypted email address which vulnerable versions of the plugin use during the login process to determine the user.
Ultimately, this makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plugin. As always, authentication bypass vulnerabilities and resulting access to high privileged user accounts, make it easy for threat actors to completely compromise a vulnerable WordPress site and further infect the victim.
Disclosure Timeline
May 28, 2023 – Discovery of the Authentication Bypass vulnerability in WordPress Social Login and Register.
May 30, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
June 2, 2023 – The vendor confirms the inbox for handling the discussion.
June 2, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
June 2, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. Please note we delayed the firewall rule to prevent completely breaking the plugin’s core functionality.
June 14, 2023 – A fully patched version of the plugin, 7.6.5, is released.
July 2, 2023 – Wordfence Free users receive the same protection.
Conclusion
In this blog post, we have detailed an Authentication Bypass vulnerability within the WordPress Social Login and Register plugin affecting versions 7.6.4 and earlier. This vulnerability allows threat actors to bypass authentication and gain access to the accounts of users who have abandoned their carts. The vulnerability has been fully addressed in version 7.6.5 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of WordPress Social Login and Register as soon as possible.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 2, 2023. Sites still using the free version of Wordfence will receive the same protection on July 2, 2023.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.
The post miniOrange Addresses Authentication Bypass Vulnerability in WordPress Social Login and Register WordPress Plugin appeared first on Wordfence.