Critical vulnerability (CVSS 9.8)

TryAllTheThings
(@roots84)

1 year, 5 months ago

Hello!

Are you aware of the critical vulnerability that was published today? Is there any ETA on a fix? https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/oa-social-login/social-login-590-authentication-bypass or https://www.cve.org/CVERecord?id=CVE-2024-10961

Viewing 3 replies - 1 through 3 (of 3 total)

Plugin Author dzulu
(@dzulu)

1 year, 5 months ago

Hello,

Thank you for the notice. I will take a look at this. At first glance, I am not sure how it would be possible to retrieve the email of an existing user. When the callback is executed, the email used for comparison is sent by an API (which requires a one-time token to access the data). Additionally, there is another check to verify that the email provided by the social network has been validated on their side, ensuring it is not a spoofed email being used by the social network (in the case of a link scenario). If the user doesn’t exist there is no possibility to be directly an admin (except if someone grant this user) so it should be only for a link scenario.

Best regards,
Damien

Thread Starter TryAllTheThings
(@roots84)

1 year, 5 months ago

Judging by the amount of spam I receive on some of the admin email addresses, there is most certainly a way to retrieve the email address of an account without being logged in. But as far as I understand retrieving the address is not the point of the CVSS but being able to log in with any other account instead of the one just authenticated.

The Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.9.0. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.

I’d recommend contacting the original Researcher for more details or a PoC.
Plugin Author dzulu
(@dzulu)

1 year, 5 months ago
Getting emails is different from login from a social network using an email. Most of all social networks are returning a flag indicating that the mail has been or not verified (meaning that the user received an email from the social network and verified it from this email that should be a first security). Then the plugin will check on this flag on addition of the email. I will try to contact them and see what was the test.
- This reply was modified 1 year, 5 months ago by dzulu.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Critical vulnerability (CVSS 9.8)’ is closed to new replies.