Unauthorized Modification of Data in WooCommerce Social Login Plugin
CVE-2024-6636

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: WooCommerce - Social Login
Vendor: CVE Published:; 20 July 2024

What is CVE-2024-6636?

The WooCommerce - Social Login plugin for WordPress is affected by a security vulnerability that allows unauthorized data modification. This issue arises from a missing capability check on the 'woo_slg_login_email' function, which is present in all versions up to and including 2.7.3. Unauthenticated attackers can exploit this vulnerability to alter a new user's default role to Administrator during the account registration process, potentially granting them elevated privileges within the WordPress environment. This significant weakness emphasizes the need for users to ensure they are using the latest versions of the plugin and to regularly review their site security practices.

Affected Version(s)

WooCommerce - Social Login 0 <= 2.7.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/social-login-wordpress-woocom...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 20, 2024
Vulnerability Reserved
Jul 9, 2024

Credit

Vu Nguyen

CVE-2024-6636 Data

JSON