Unauthenticated Attackers Can Log in as Any Existing User on the Site
CVE-2024-9946

8.1HIGH

Key Information:

Vendor: Wordpress
Status: Social Share, Social Login And Social Comments Plugin – Super Socializer
Vendor: CVE Published:; 6 November 2024

Summary

The Super Socializer plugin for WordPress, which facilitates social sharing and social login capabilities, is exposed to an authentication bypass vulnerability stemming from inadequate verification of users based on social login tokens. This flaw enables unauthenticated attackers to potentially log in as existing users, granted they have the user's email and that the social login does not correlate with an already existing account on the platform utilizing the returning token. While direct access to administrator accounts is not permitted by default, the risk heightens if an administrator has configured their account to permit social logins, revealing a serious oversight in user authentication processes. The vulnerability has been partially addressed in version 7.13.68.

Affected Version(s)

Social Share, Social Login and Social Comments Plugin – Super Socializer * <= 7.13.68

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3172935/

https://plugins.trac.wordpress.org/changeset/3180581/

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 6, 2024
Vulnerability Reserved
Oct 14, 2024

Credit

wesley