CVE-2024-10020
Heateor Social Login WordPress <= 1.1.35 - Authentication Bypass via Disqus OAuth provider
highImproper Authentication
8.1
CVSS Score
8.1
CVSS Score
high
Severity
1.1.36
Patched in
107d
Time to patch
Description
The Heateor Social Login WordPress plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.1.35. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they have access to the email and the user does not have an already-existing account for the service returning the token. An attacker cannot authenticate as an administrator by default, but these accounts are also at risk if authentication for administrators has explicitly been allowed via the social login.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HAttack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability
Technical Details
Affected versions
<=1.1.35PublishedNovember 5, 2024
Last updatedFebruary 19, 2025
Affected pluginheateor-social-login
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.