{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/miniorange-social-login-and-register-discord-google-twitter-linkedin-plugin-for-wordpress--7.7.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-12761"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress \u003c= 7.7.0"],"_cs_severities":["critical"],"_cs_tags":["web","authentication-bypass","wordpress","cve","account-takeover","plugin"],"_cs_type":"advisory","_cs_vendors":["miniOrange"],"content_html":"\u003cp\u003eCVE-2026-12761 describes a critical authentication bypass vulnerability impacting the miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress, specifically in versions up to and including 7.7.0. Unauthenticated attackers can exploit this flaw to achieve full administrator account takeover. The vulnerability stems from two main issues: the plugin's \u0026quot;Profile Completion\u0026quot; flow accepts an arbitrary email address via the 'email_field' POST parameter without proper verification against the OAuth provider, and the \u003ccode\u003esend_otp_token()\u003c/code\u003e function returns a SHA-512 hash of the \u003ccode\u003ecustomer_key\u003c/code\u003e and OTP directly to the client. Crucially, the OTP space is very small (99,000 values), and the \u003ccode\u003ecustomer_key\u003c/code\u003e is either static or empty on unregistered installs, making the OTP susceptible to rapid offline cracking. This allows an attacker to trigger an OTP to a target administrator's email, crack the OTP from the leaked hash, and use it to log in as the administrator.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable WordPress site running the miniOrange Social Login and Register plugin (version \u0026lt;= 7.7.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts and sends a POST request to the plugin's \u0026quot;Profile Completion flow\u0026quot; endpoint, supplying a known administrator's email address in the 'email_field' parameter.\u003c/li\u003e\n\u003cli\u003eThe plugin's \u003ccode\u003esend_otp_token()\u003c/code\u003e function sends an OTP to the specified administrator's email and returns a transaction hash (\u003ccode\u003eSHA-512(customer_key || otp)\u003c/code\u003e) to the attacker's client.\u003c/li\u003e\n\u003cli\u003eLeveraging the small OTP space (1,000-99,999 values) and the static/empty \u003ccode\u003ecustomer_key\u003c/code\u003e, the attacker performs an offline brute-force attack on the leaked SHA-512 hash to crack the OTP in less than one second.\u003c/li\u003e\n\u003cli\u003eThe attacker then submits the cracked OTP to the \u003ccode\u003emo_openid_social_login_validate_otp()\u003c/code\u003e function, along with the administrator's email address.\u003c/li\u003e\n\u003cli\u003eThe plugin validates the OTP and logs the attacker into the WordPress site as the legitimate administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full administrator access to the WordPress site, enabling complete account takeover and potential further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-12761 allows unauthenticated attackers to gain complete administrator access to affected WordPress websites. This directly leads to full account takeover of the administrator's account, giving the attacker control over the website's content, users, and installed plugins. Consequences can include website defacement, arbitrary code execution, data exfiltration from the WordPress database, creation of new malicious administrator accounts, distribution of malware to site visitors, or using the compromised website as a pivot point for further attacks on the hosting environment or connected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress to a version greater than 7.7.0 to remediate CVE-2026-12761.\u003c/li\u003e\n\u003cli\u003eReview web server logs for suspicious POST requests to WordPress endpoints related to authentication or profile completion that contain the \u003ccode\u003eemail_field\u003c/code\u003e parameter, particularly if they are followed by rapid subsequent authentication attempts using OTPs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T21:18:23Z","date_published":"2026-07-10T21:18:23Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-12761-miniorange-auth-bypass/","summary":"An authentication bypass vulnerability (CVE-2026-12761) in the miniOrange Social Login and Register WordPress plugin, affecting versions up to 7.7.0, allows unauthenticated attackers to trigger an OTP email to an arbitrary admin's address, offline crack the weak OTP from a leaked hash, and gain full administrator access by logging in as the target user.","title":"miniOrange WordPress Plugin Authentication Bypass via OTP Weakness","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-12761-miniorange-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - MiniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Plugin for WordPress \u003c= 7.7.0","version":"https://jsonfeed.org/version/1.1"}