A critical vulnerability in WordPress (CVE-2024-6636)

Advisory No: TZCERT/SA/2024/07/26-3

Date of First Release: 26^th July 2024

Source: Wordfence

Software Affected: woo-social-login

Overview:

WordPress is vulnerable to a critical vulnerability. Exploitation of this vulnerability makes it possible for unauthenticated privilege escalation.

Description:

WordPress plugin woo-social-login is affected by the vulnerability tracked as CVE-2024-6636 with CVSS score of 9.8. The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the ‘woo_slg_login_email’ function. The attackers can exploit the vulnerability to change the default role to Administrator while registering for an account.

Impact:

Successful exploitation of this vulnerability may allow an attacker to gain unauthorized administrative access to the WordPress site.

Solution:

WordPress has released a security patch for this vulnerability. Users and administrators are encouraged to apply necessary updates.

References:

1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woo-social-login/woocommerce-social-login-273-missing-authorization-to-unauthenticated-privilege-escalation
2. https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883