miniOrange WordPress Plugin Authentication Bypass via OTP Weakness
An authentication bypass vulnerability (CVE-2026-12761) in the miniOrange Social Login and Register WordPress plugin, affecting versions up to 7.7.0, allows unauthenticated attackers to trigger an OTP email to an arbitrary admin's address, offline crack the weak OTP from a leaked hash, and gain full administrator access by logging in as the target user.
CVE-2026-12761 describes a critical authentication bypass vulnerability impacting the miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress, specifically in versions up to and including 7.7.0. Unauthenticated attackers can exploit this flaw to achieve full administrator account takeover. The vulnerability stems from two main issues: the plugin's "Profile Completion" flow accepts an arbitrary email address via the 'email_field' POST parameter without proper verification against the OAuth provider, and the send_otp_token() function returns a SHA-512 hash of the customer_key and OTP directly to the client. Crucially, the OTP space is very small (99,000 values), and the customer_key is either static or empty on unregistered installs, making the OTP susceptible to rapid offline cracking. This allows an attacker to trigger an OTP to a target administrator's email, crack the OTP from the leaked hash, and use it to log in as the administrator.
Attack Chain
- An unauthenticated attacker identifies a vulnerable WordPress site running the miniOrange Social Login and Register plugin (version <= 7.7.0).
- The attacker crafts and sends a POST request to the plugin's "Profile Completion flow" endpoint, supplying a known administrator's email address in the 'email_field' parameter.
- The plugin's
send_otp_token()function sends an OTP to the specified administrator's email and returns a transaction hash (SHA-512(customer_key || otp)) to the attacker's client. - Leveraging the small OTP space (1,000-99,999 values) and the static/empty
customer_key, the attacker performs an offline brute-force attack on the leaked SHA-512 hash to crack the OTP in less than one second. - The attacker then submits the cracked OTP to the
mo_openid_social_login_validate_otp()function, along with the administrator's email address. - The plugin validates the OTP and logs the attacker into the WordPress site as the legitimate administrator.
- The attacker gains full administrator access to the WordPress site, enabling complete account takeover and potential further exploitation.
Impact
Successful exploitation of CVE-2026-12761 allows unauthenticated attackers to gain complete administrator access to affected WordPress websites. This directly leads to full account takeover of the administrator's account, giving the attacker control over the website's content, users, and installed plugins. Consequences can include website defacement, arbitrary code execution, data exfiltration from the WordPress database, creation of new malicious administrator accounts, distribution of malware to site visitors, or using the compromised website as a pivot point for further attacks on the hosting environment or connected systems.
Recommendation
- Immediately update the miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress to a version greater than 7.7.0 to remediate CVE-2026-12761.
- Review web server logs for suspicious POST requests to WordPress endpoints related to authentication or profile completion that contain the
email_fieldparameter, particularly if they are followed by rapid subsequent authentication attempts using OTPs.