Advisory No: TZCERT/SA/2024/07/26-3
Date of First Release: 26th July 2024
Source: Wordfence
Software Affected: woo-social-login
Overview:
WordPress is vulnerable to a critical vulnerability. Exploitation of this vulnerability makes it possible for unauthenticated privilege escalation.
Description:
WordPress plugin woo-social-login is affected by the vulnerability tracked as CVE-2024-6636 with CVSS score of 9.8. The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the ‘woo_slg_login_email’ function. The attackers can exploit the vulnerability to change the default role to Administrator while registering for an account.
Impact:
Successful exploitation of this vulnerability may allow an attacker to gain unauthorized administrative access to the WordPress site.
Solution:
WordPress has released a security patch for this vulnerability. Users and administrators are encouraged to apply necessary updates.
References: