Search

Find a vulnerability

Search criteria

    14 vulnerabilities found for WooCommerce - Social Login by WPWeb

    CVE-2024-10114 (GCVE-0-2024-10114)

    Vulnerability from nvd – Published: 2024-11-05 08:31 – Updated: 2026-04-08 17:00
    VLAI
    Title
    Social Login - WordPress / WooCommerce Plugin <= 2.7.7 - Authentication Bypass via WordPress.com OAuth provider
    Summary
    The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.7.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    WPWeb WooCommerce - Social Login Affected: 0 , ≤ 2.7.7 (semver)
    Create a notification for this product.
    wpweb woocommerce_social_login Affected: 0 , ≤ 2.7.7 (semver)
        cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "woocommerce_social_login",
                "vendor": "wpweb",
                "versions": [
                  {
                    "lessThanOrEqual": "2.7.7",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10114",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-05T15:15:57.693574Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-05T15:19:14.333Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WooCommerce - Social Login",
              "vendor": "WPWeb",
              "versions": [
                {
                  "lessThanOrEqual": "2.7.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.7.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:00:38.770Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71df23bf-8f51-4260-be1f-ed5bc29d4afe?source=cve"
            },
            {
              "url": "https://www.wpwebelite.com/changelogs/woocommerce-social-login/changelog.txt"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-11-04T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Social Login - WordPress / WooCommerce Plugin \u003c= 2.7.7 - Authentication Bypass via WordPress.com OAuth provider"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-10114",
        "datePublished": "2024-11-05T08:31:36.630Z",
        "dateReserved": "2024-10-17T23:38:04.314Z",
        "dateUpdated": "2026-04-08T17:00:38.770Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-7503 (GCVE-0-2024-7503)

    Vulnerability from nvd – Published: 2024-08-10 02:01 – Updated: 2026-04-08 17:32
    VLAI
    Title
    WooCommerce - Social Login <= 2.7.5 - Authentication Bypass to Account Takeover
    Summary
    The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.5. This is due to the use of loose comparison of the activation code in the 'woo_slg_confirm_email_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the userID. This requires the email module to be enabled.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-288 - Authentication Bypass Using an Alternate Path or Channel
    Assigner
    Impacted products
    Vendor Product Version
    WPWeb WooCommerce - Social Login Affected: 0 , ≤ 2.7.5 (semver)
    Create a notification for this product.
    wpweb woocommerce_social_login Affected: 0 , ≤ 2.7.5 (custom)
        cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Truoc Phan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "woocommerce_social_login",
                "vendor": "wpweb",
                "versions": [
                  {
                    "lessThanOrEqual": "2.7.5",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7503",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-13T15:16:49.489522Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-13T15:18:37.863Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WooCommerce - Social Login",
              "vendor": "WPWeb",
              "versions": [
                {
                  "lessThanOrEqual": "2.7.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Truoc Phan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.5. This is due to the use of loose comparison of the activation code in the \u0027woo_slg_confirm_email_user\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the userID. This requires the email module to be enabled."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-288",
                  "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:32:57.105Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3b727ba-b39c-4a98-a6a6-ea33785079f6?source=cve"
            },
            {
              "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-08-09T13:23:32.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WooCommerce - Social Login \u003c= 2.7.5 - Authentication Bypass to Account Takeover"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-7503",
        "datePublished": "2024-08-10T02:01:24.069Z",
        "dateReserved": "2024-08-05T17:25:54.172Z",
        "dateUpdated": "2026-04-08T17:32:57.105Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-6637 (GCVE-0-2024-6637)

    Vulnerability from nvd – Published: 2024-07-20 07:37 – Updated: 2026-04-08 16:36
    VLAI
    Title
    WooCommerce - Social Login <= 2.7.3 - Unauthenticated Privilege Escalation via One-Time Password
    Summary
    The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthenticated privilege escalation in all versions up to, and including, 2.7.3. This is due to a lack of brute force controls on a weak one-time password. This makes it possible for unauthenticated attackers to brute force the one-time password for any user, except an Administrator, if they know the email of user.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-305 - Authentication Bypass by Primary Weakness
    Assigner
    Impacted products
    Vendor Product Version
    WPWeb WooCommerce - Social Login Affected: 0 , ≤ 2.7.3 (semver)
    Create a notification for this product.
    yithemes yith_woocommerce_social_login Affected: 0 , ≤ 2.7.3 (semver)
        cpe:2.3:a:yithemes:yith_woocommerce_social_login:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Credits
    Vu Nguyen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:yithemes:yith_woocommerce_social_login:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "yith_woocommerce_social_login",
                "vendor": "yithemes",
                "versions": [
                  {
                    "lessThanOrEqual": "2.7.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6637",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-22T14:11:16.496227Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-23T20:34:59.434Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:41:04.300Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/10d92d5e-1c23-4f6a-bfab-0756876190a5?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WooCommerce - Social Login",
              "vendor": "WPWeb",
              "versions": [
                {
                  "lessThanOrEqual": "2.7.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vu Nguyen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthenticated privilege escalation in all versions up to, and including, 2.7.3. This is due to a lack of brute force controls on a weak one-time password. This makes it possible for unauthenticated attackers to brute force the one-time password for any user, except an Administrator, if they know the email of user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-305",
                  "description": "CWE-305 Authentication Bypass by Primary Weakness",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:36:07.667Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/10d92d5e-1c23-4f6a-bfab-0756876190a5?source=cve"
            },
            {
              "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-07-19T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WooCommerce - Social Login \u003c= 2.7.3 - Unauthenticated Privilege Escalation via One-Time Password"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-6637",
        "datePublished": "2024-07-20T07:37:52.405Z",
        "dateReserved": "2024-07-09T21:48:55.671Z",
        "dateUpdated": "2026-04-08T16:36:07.667Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-6636 (GCVE-0-2024-6636)

    Vulnerability from nvd – Published: 2024-07-20 07:38 – Updated: 2026-04-08 17:01
    VLAI
    Title
    WooCommerce - Social Login <= 2.7.3 - Missing Authorization to Unauthenticated Privilege Escalation
    Summary
    The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'woo_slg_login_email' function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to change the default role to Administrator while registering for an account.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    WPWeb WooCommerce - Social Login Affected: 0 , ≤ 2.7.3 (semver)
    Create a notification for this product.
    wpweb woocommerce_social_login Affected: 0 , ≤ 2.7.3 (semver)
        cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Vu Nguyen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "woocommerce_social_login",
                "vendor": "wpweb",
                "versions": [
                  {
                    "lessThanOrEqual": "2.7.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6636",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-23T13:56:39.767727Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-24T13:26:28.109Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:41:04.281Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/77ea4ba8-6c13-494a-92e3-12643003635b?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WooCommerce - Social Login",
              "vendor": "WPWeb",
              "versions": [
                {
                  "lessThanOrEqual": "2.7.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vu Nguyen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027woo_slg_login_email\u0027 function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to change the default role to Administrator while registering for an account."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:01:47.344Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/77ea4ba8-6c13-494a-92e3-12643003635b?source=cve"
            },
            {
              "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-07-19T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WooCommerce - Social Login \u003c= 2.7.3 - Missing Authorization to Unauthenticated Privilege Escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-6636",
        "datePublished": "2024-07-20T07:38:04.704Z",
        "dateReserved": "2024-07-09T21:41:08.937Z",
        "dateUpdated": "2026-04-08T17:01:47.344Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-6635 (GCVE-0-2024-6635)

    Vulnerability from nvd – Published: 2024-07-20 07:38 – Updated: 2026-04-08 16:46
    VLAI
    Title
    WooCommerce - Social Login <= 2.7.3 - Unauthenticated Authentication Bypass
    Summary
    The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.3. This is due to insufficient controls in the 'woo_slg_login_email' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, excluding an administrator, if they know the email of user.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-288 - Authentication Bypass Using an Alternate Path or Channel
    Assigner
    Impacted products
    Vendor Product Version
    WPWeb WooCommerce - Social Login Affected: 0 , ≤ 2.7.3 (semver)
    Create a notification for this product.
    wpweb woocommerce_social_login Affected: 0 , ≤ 2.7.3 (semver)
        cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Vu Nguyen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "woocommerce_social_login",
                "vendor": "wpweb",
                "versions": [
                  {
                    "lessThanOrEqual": "2.7.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6635",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-22T14:58:44.736827Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-22T20:38:42.335Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:41:04.272Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/37836722-eb25-4393-8cdf-91057642ba3f?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WooCommerce - Social Login",
              "vendor": "WPWeb",
              "versions": [
                {
                  "lessThanOrEqual": "2.7.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vu Nguyen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.3. This is due to insufficient controls in the \u0027woo_slg_login_email\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, excluding an administrator, if they know the email of user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-288",
                  "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:46:23.609Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/37836722-eb25-4393-8cdf-91057642ba3f?source=cve"
            },
            {
              "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-07-19T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WooCommerce - Social Login \u003c= 2.7.3 - Unauthenticated Authentication Bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-6635",
        "datePublished": "2024-07-20T07:38:03.542Z",
        "dateReserved": "2024-07-09T21:27:51.133Z",
        "dateUpdated": "2026-04-08T16:46:23.609Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-5871 (GCVE-0-2024-5871)

    Vulnerability from nvd – Published: 2024-06-15 03:35 – Updated: 2026-04-08 17:35
    VLAI
    Title
    WooCommerce - Social Login <= 2.6.2 - Unauthenticated PHP Object Injection
    Summary
    The WooCommerce - Social Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.2 via deserialization of untrusted input from the 'woo_slg_verify' vulnerable parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    WPWeb WooCommerce - Social Login Affected: 0 , ≤ 2.6.2 (semver)
    Create a notification for this product.
    wpweb woocommerce_social_login Affected: 0 , ≤ 2.6.2 (custom)
        cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "woocommerce_social_login",
                "vendor": "wpweb",
                "versions": [
                  {
                    "lessThanOrEqual": "2.6.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5871",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-17T13:54:01.613557Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-24T13:29:10.012Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:25:02.925Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ffd592e6-2ac4-4af4-bfc0-d4f834157d71?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WooCommerce - Social Login",
              "vendor": "WPWeb",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WooCommerce - Social Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.2 via deserialization of untrusted input from the \u0027woo_slg_verify\u0027 vulnerable parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:35:24.161Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ffd592e6-2ac4-4af4-bfc0-d4f834157d71?source=cve"
            },
            {
              "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-06-11T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2024-06-11T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-06-14T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WooCommerce - Social Login \u003c= 2.6.2 - Unauthenticated PHP Object Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-5871",
        "datePublished": "2024-06-15T03:35:11.306Z",
        "dateReserved": "2024-06-11T15:39:49.296Z",
        "dateUpdated": "2026-04-08T17:35:24.161Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-5868 (GCVE-0-2024-5868)

    Vulnerability from nvd – Published: 2024-06-15 03:35 – Updated: 2026-04-08 17:10
    VLAI
    Title
    WooCommerce - Social Login <= 2.6.2 - Email Verification due to Insufficient Randomness
    Summary
    The WooCommerce - Social Login plugin for WordPress is vulnerable to Email Verification in all versions up to, and including, 2.6.2 via the use of insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-330 - Use of Insufficiently Random Values
    Assigner
    Impacted products
    Vendor Product Version
    WPWeb WooCommerce - Social Login Affected: 0 , ≤ 2.6.2 (semver)
    Create a notification for this product.
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5868",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-17T14:19:08.028127Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-17T14:19:22.451Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:25:02.989Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/97fbbf5b-d3c7-47ce-b251-ce1fe38af152?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WooCommerce - Social Login",
              "vendor": "WPWeb",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WooCommerce - Social Login plugin for WordPress is vulnerable to Email Verification in all versions up to, and including, 2.6.2 via the use of insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-330",
                  "description": "CWE-330 Use of Insufficiently Random Values",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:10:35.444Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/97fbbf5b-d3c7-47ce-b251-ce1fe38af152?source=cve"
            },
            {
              "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-06-11T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2024-06-11T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-06-14T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WooCommerce - Social Login \u003c= 2.6.2 - Email Verification due to Insufficient Randomness"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-5868",
        "datePublished": "2024-06-15T03:35:10.691Z",
        "dateReserved": "2024-06-11T15:31:25.064Z",
        "dateUpdated": "2026-04-08T17:10:35.444Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10114 (GCVE-0-2024-10114)

    Vulnerability from cvelistv5 – Published: 2024-11-05 08:31 – Updated: 2026-04-08 17:00
    VLAI
    Title
    Social Login - WordPress / WooCommerce Plugin <= 2.7.7 - Authentication Bypass via WordPress.com OAuth provider
    Summary
    The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.7.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    WPWeb WooCommerce - Social Login Affected: 0 , ≤ 2.7.7 (semver)
    Create a notification for this product.
    wpweb woocommerce_social_login Affected: 0 , ≤ 2.7.7 (semver)
        cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "woocommerce_social_login",
                "vendor": "wpweb",
                "versions": [
                  {
                    "lessThanOrEqual": "2.7.7",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10114",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-05T15:15:57.693574Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-05T15:19:14.333Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WooCommerce - Social Login",
              "vendor": "WPWeb",
              "versions": [
                {
                  "lessThanOrEqual": "2.7.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.7.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:00:38.770Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71df23bf-8f51-4260-be1f-ed5bc29d4afe?source=cve"
            },
            {
              "url": "https://www.wpwebelite.com/changelogs/woocommerce-social-login/changelog.txt"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-11-04T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Social Login - WordPress / WooCommerce Plugin \u003c= 2.7.7 - Authentication Bypass via WordPress.com OAuth provider"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-10114",
        "datePublished": "2024-11-05T08:31:36.630Z",
        "dateReserved": "2024-10-17T23:38:04.314Z",
        "dateUpdated": "2026-04-08T17:00:38.770Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-7503 (GCVE-0-2024-7503)

    Vulnerability from cvelistv5 – Published: 2024-08-10 02:01 – Updated: 2026-04-08 17:32
    VLAI
    Title
    WooCommerce - Social Login <= 2.7.5 - Authentication Bypass to Account Takeover
    Summary
    The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.5. This is due to the use of loose comparison of the activation code in the 'woo_slg_confirm_email_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the userID. This requires the email module to be enabled.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-288 - Authentication Bypass Using an Alternate Path or Channel
    Assigner
    Impacted products
    Vendor Product Version
    WPWeb WooCommerce - Social Login Affected: 0 , ≤ 2.7.5 (semver)
    Create a notification for this product.
    wpweb woocommerce_social_login Affected: 0 , ≤ 2.7.5 (custom)
        cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Truoc Phan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "woocommerce_social_login",
                "vendor": "wpweb",
                "versions": [
                  {
                    "lessThanOrEqual": "2.7.5",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7503",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-13T15:16:49.489522Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-13T15:18:37.863Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WooCommerce - Social Login",
              "vendor": "WPWeb",
              "versions": [
                {
                  "lessThanOrEqual": "2.7.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Truoc Phan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.5. This is due to the use of loose comparison of the activation code in the \u0027woo_slg_confirm_email_user\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the userID. This requires the email module to be enabled."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-288",
                  "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:32:57.105Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3b727ba-b39c-4a98-a6a6-ea33785079f6?source=cve"
            },
            {
              "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-08-09T13:23:32.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WooCommerce - Social Login \u003c= 2.7.5 - Authentication Bypass to Account Takeover"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-7503",
        "datePublished": "2024-08-10T02:01:24.069Z",
        "dateReserved": "2024-08-05T17:25:54.172Z",
        "dateUpdated": "2026-04-08T17:32:57.105Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-6636 (GCVE-0-2024-6636)

    Vulnerability from cvelistv5 – Published: 2024-07-20 07:38 – Updated: 2026-04-08 17:01
    VLAI
    Title
    WooCommerce - Social Login <= 2.7.3 - Missing Authorization to Unauthenticated Privilege Escalation
    Summary
    The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'woo_slg_login_email' function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to change the default role to Administrator while registering for an account.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    WPWeb WooCommerce - Social Login Affected: 0 , ≤ 2.7.3 (semver)
    Create a notification for this product.
    wpweb woocommerce_social_login Affected: 0 , ≤ 2.7.3 (semver)
        cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Vu Nguyen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "woocommerce_social_login",
                "vendor": "wpweb",
                "versions": [
                  {
                    "lessThanOrEqual": "2.7.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6636",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-23T13:56:39.767727Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-24T13:26:28.109Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:41:04.281Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/77ea4ba8-6c13-494a-92e3-12643003635b?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WooCommerce - Social Login",
              "vendor": "WPWeb",
              "versions": [
                {
                  "lessThanOrEqual": "2.7.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vu Nguyen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027woo_slg_login_email\u0027 function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to change the default role to Administrator while registering for an account."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:01:47.344Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/77ea4ba8-6c13-494a-92e3-12643003635b?source=cve"
            },
            {
              "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-07-19T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WooCommerce - Social Login \u003c= 2.7.3 - Missing Authorization to Unauthenticated Privilege Escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-6636",
        "datePublished": "2024-07-20T07:38:04.704Z",
        "dateReserved": "2024-07-09T21:41:08.937Z",
        "dateUpdated": "2026-04-08T17:01:47.344Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-6635 (GCVE-0-2024-6635)

    Vulnerability from cvelistv5 – Published: 2024-07-20 07:38 – Updated: 2026-04-08 16:46
    VLAI
    Title
    WooCommerce - Social Login <= 2.7.3 - Unauthenticated Authentication Bypass
    Summary
    The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.3. This is due to insufficient controls in the 'woo_slg_login_email' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, excluding an administrator, if they know the email of user.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-288 - Authentication Bypass Using an Alternate Path or Channel
    Assigner
    Impacted products
    Vendor Product Version
    WPWeb WooCommerce - Social Login Affected: 0 , ≤ 2.7.3 (semver)
    Create a notification for this product.
    wpweb woocommerce_social_login Affected: 0 , ≤ 2.7.3 (semver)
        cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Vu Nguyen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "woocommerce_social_login",
                "vendor": "wpweb",
                "versions": [
                  {
                    "lessThanOrEqual": "2.7.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6635",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-22T14:58:44.736827Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-22T20:38:42.335Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:41:04.272Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/37836722-eb25-4393-8cdf-91057642ba3f?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WooCommerce - Social Login",
              "vendor": "WPWeb",
              "versions": [
                {
                  "lessThanOrEqual": "2.7.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vu Nguyen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.3. This is due to insufficient controls in the \u0027woo_slg_login_email\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, excluding an administrator, if they know the email of user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-288",
                  "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:46:23.609Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/37836722-eb25-4393-8cdf-91057642ba3f?source=cve"
            },
            {
              "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-07-19T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WooCommerce - Social Login \u003c= 2.7.3 - Unauthenticated Authentication Bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-6635",
        "datePublished": "2024-07-20T07:38:03.542Z",
        "dateReserved": "2024-07-09T21:27:51.133Z",
        "dateUpdated": "2026-04-08T16:46:23.609Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-6637 (GCVE-0-2024-6637)

    Vulnerability from cvelistv5 – Published: 2024-07-20 07:37 – Updated: 2026-04-08 16:36
    VLAI
    Title
    WooCommerce - Social Login <= 2.7.3 - Unauthenticated Privilege Escalation via One-Time Password
    Summary
    The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthenticated privilege escalation in all versions up to, and including, 2.7.3. This is due to a lack of brute force controls on a weak one-time password. This makes it possible for unauthenticated attackers to brute force the one-time password for any user, except an Administrator, if they know the email of user.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-305 - Authentication Bypass by Primary Weakness
    Assigner
    Impacted products
    Vendor Product Version
    WPWeb WooCommerce - Social Login Affected: 0 , ≤ 2.7.3 (semver)
    Create a notification for this product.
    yithemes yith_woocommerce_social_login Affected: 0 , ≤ 2.7.3 (semver)
        cpe:2.3:a:yithemes:yith_woocommerce_social_login:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Credits
    Vu Nguyen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:yithemes:yith_woocommerce_social_login:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "yith_woocommerce_social_login",
                "vendor": "yithemes",
                "versions": [
                  {
                    "lessThanOrEqual": "2.7.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6637",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-22T14:11:16.496227Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-23T20:34:59.434Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:41:04.300Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/10d92d5e-1c23-4f6a-bfab-0756876190a5?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WooCommerce - Social Login",
              "vendor": "WPWeb",
              "versions": [
                {
                  "lessThanOrEqual": "2.7.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vu Nguyen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthenticated privilege escalation in all versions up to, and including, 2.7.3. This is due to a lack of brute force controls on a weak one-time password. This makes it possible for unauthenticated attackers to brute force the one-time password for any user, except an Administrator, if they know the email of user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-305",
                  "description": "CWE-305 Authentication Bypass by Primary Weakness",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:36:07.667Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/10d92d5e-1c23-4f6a-bfab-0756876190a5?source=cve"
            },
            {
              "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-07-19T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WooCommerce - Social Login \u003c= 2.7.3 - Unauthenticated Privilege Escalation via One-Time Password"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-6637",
        "datePublished": "2024-07-20T07:37:52.405Z",
        "dateReserved": "2024-07-09T21:48:55.671Z",
        "dateUpdated": "2026-04-08T16:36:07.667Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-5871 (GCVE-0-2024-5871)

    Vulnerability from cvelistv5 – Published: 2024-06-15 03:35 – Updated: 2026-04-08 17:35
    VLAI
    Title
    WooCommerce - Social Login <= 2.6.2 - Unauthenticated PHP Object Injection
    Summary
    The WooCommerce - Social Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.2 via deserialization of untrusted input from the 'woo_slg_verify' vulnerable parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    WPWeb WooCommerce - Social Login Affected: 0 , ≤ 2.6.2 (semver)
    Create a notification for this product.
    wpweb woocommerce_social_login Affected: 0 , ≤ 2.6.2 (custom)
        cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wpweb:woocommerce_social_login:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "woocommerce_social_login",
                "vendor": "wpweb",
                "versions": [
                  {
                    "lessThanOrEqual": "2.6.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5871",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-17T13:54:01.613557Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-24T13:29:10.012Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:25:02.925Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ffd592e6-2ac4-4af4-bfc0-d4f834157d71?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WooCommerce - Social Login",
              "vendor": "WPWeb",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WooCommerce - Social Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.2 via deserialization of untrusted input from the \u0027woo_slg_verify\u0027 vulnerable parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:35:24.161Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ffd592e6-2ac4-4af4-bfc0-d4f834157d71?source=cve"
            },
            {
              "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-06-11T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2024-06-11T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-06-14T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WooCommerce - Social Login \u003c= 2.6.2 - Unauthenticated PHP Object Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-5871",
        "datePublished": "2024-06-15T03:35:11.306Z",
        "dateReserved": "2024-06-11T15:39:49.296Z",
        "dateUpdated": "2026-04-08T17:35:24.161Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-5868 (GCVE-0-2024-5868)

    Vulnerability from cvelistv5 – Published: 2024-06-15 03:35 – Updated: 2026-04-08 17:10
    VLAI
    Title
    WooCommerce - Social Login <= 2.6.2 - Email Verification due to Insufficient Randomness
    Summary
    The WooCommerce - Social Login plugin for WordPress is vulnerable to Email Verification in all versions up to, and including, 2.6.2 via the use of insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-330 - Use of Insufficiently Random Values
    Assigner
    Impacted products
    Vendor Product Version
    WPWeb WooCommerce - Social Login Affected: 0 , ≤ 2.6.2 (semver)
    Create a notification for this product.
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5868",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-17T14:19:08.028127Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-17T14:19:22.451Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:25:02.989Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/97fbbf5b-d3c7-47ce-b251-ce1fe38af152?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WooCommerce - Social Login",
              "vendor": "WPWeb",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WooCommerce - Social Login plugin for WordPress is vulnerable to Email Verification in all versions up to, and including, 2.6.2 via the use of insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-330",
                  "description": "CWE-330 Use of Insufficiently Random Values",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:10:35.444Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/97fbbf5b-d3c7-47ce-b251-ce1fe38af152?source=cve"
            },
            {
              "url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-06-11T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2024-06-11T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-06-14T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WooCommerce - Social Login \u003c= 2.6.2 - Email Verification due to Insufficient Randomness"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-5868",
        "datePublished": "2024-06-15T03:35:10.691Z",
        "dateReserved": "2024-06-11T15:31:25.064Z",
        "dateUpdated": "2026-04-08T17:10:35.444Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }