CVE-2026-12761
Received Received - Intake

Authentication Bypass in miniOrange Social Login WordPress Plugin

Vulnerability report for CVE-2026-12761, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Wordfence

Description

The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Completion flow accepting an arbitrary email address via the 'email_field' POST parameter without verifying that the email belongs to the identity returned by the OAuth provider, combined with send_otp_token() returning the SHA-512(customer_key || otp) transaction hash to the client where the OTP space is only 99,000 values (wp_rand(1000, 99999)) and the customer_key is a static option (empty on unregistered installs). This makes it possible for unauthenticated attackers to trigger an OTP email to an arbitrary admin's address, crack the OTP offline from the leaked hash in under a second, and submit the cracked OTP to mo_openid_social_login_validate_otp(), which logs the attacker in as the user whose email was supplied β€” granting full administrator access.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
miniorange social_login_and_register to 7.7.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The miniOrange Social Login and Register plugin for WordPress, which supports Discord, Google, Twitter, and LinkedIn logins, has a vulnerability in versions up to and including 7.7.0 that allows authentication bypass leading to account takeover.

This happens because the Profile Completion flow accepts any email address via the 'email_field' POST parameter without verifying that the email actually belongs to the identity returned by the OAuth provider.

Additionally, the function send_otp_token() returns a SHA-512 hash of the customer_key concatenated with the OTP to the client. The OTP space is limited to 99,000 values, making it feasible for an attacker to crack the OTP offline quickly.

An unauthenticated attacker can trigger an OTP email to an arbitrary admin's address, crack the OTP from the leaked hash in under a second, and submit the cracked OTP to the validation function, which logs the attacker in as the user whose email was supplied, granting full administrator access.

Impact Analysis

This vulnerability can have severe impacts as it allows unauthenticated attackers to gain full administrator access to a WordPress site using the miniOrange Social Login and Register plugin.

An attacker can take over any user account, including admin accounts, which can lead to complete compromise of the website.

Consequences include unauthorized access to sensitive data, modification or deletion of content, installation of malicious code, and disruption of website operations.

Compliance Impact

The vulnerability allows unauthenticated attackers to bypass authentication and gain full administrator access by exploiting flaws in the email verification and OTP mechanisms. This can lead to unauthorized access to sensitive user data and administrative functions.

Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information, as well as measures to prevent unauthorized access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12761. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart