CVE-2024-9946

Improper Authentication (CWE-287)

Published: Nov 6, 2024 / Updated: 13d ago

010
CVSS 8.1EPSS 0.05%High
CVE info copied to clipboard

Summary

The Social Share, Social Login and Social Comments Plugin – Super Socializer for WordPress is vulnerable to authentication bypass in versions up to and including 7.13.68. This vulnerability is caused by insufficient verification of the user being returned by the social login token. It allows unauthenticated attackers to log in as any existing user on the site if they have access to the email and the user does not have an existing account for the service returning the token.

Impact

This vulnerability has a high severity with a CVSS v3.1 base score of 8.1, indicating a significant risk. The impact on confidentiality, integrity, and availability is rated as HIGH. Attackers can bypass authentication and potentially gain unauthorized access to user accounts, leading to significant data exposure, modification of user data, and potential service disruptions. While administrator accounts are not directly at risk by default, they could be compromised if social login authentication for administrators has been explicitly allowed.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A partial patch is available in version 7.13.68 of the plugin. However, this version still contains the vulnerability, suggesting that a full fix may be pending in a future release. The security team should update to this version immediately as it provides some mitigation, but should also closely monitor for future updates that may provide a complete fix.

Mitigation

1. Update the Social Share, Social Login and Social Comments Plugin – Super Socializer to at least version 7.13.68 immediately. 2. Monitor for future updates that may provide a complete fix for this vulnerability. 3. If possible, disable social login functionality, especially for administrator accounts. 4. Implement additional authentication factors for critical user accounts. 5. Regularly audit user accounts and access logs for any suspicious activities. 6. Consider implementing network segmentation to limit the potential impact of compromised accounts. 7. Educate users about the risks of using social login features and encourage the use of unique, strong passwords for their WordPress accounts.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9946. See article

Nov 6, 2024 at 6:54 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 6, 2024 at 6:54 AM
CVE Assignment

NVD published the first details for CVE-2024-9946

Nov 6, 2024 at 7:15 AM
CVSS

A CVSS base score of 8.1 has been assigned.

Nov 6, 2024 at 7:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.7%)

Nov 7, 2024 at 10:05 AM
Static CVE Timeline Graph

Affected Systems

Heateor/super_socializer
+null more

Patches

plugins.trac.wordpress.org
+null more

Links to Mitre Att&cks

T1548: Abuse Elevation Control Mechanism
+null more

Attack Patterns

CAPEC-114: Authentication Abuse
+null more

News

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 4, 2024 to November 10, 2024)
WordPress Plugins with Reported Vulnerabilities Last Week Use constructor to create tables profit-products-tables-for-woocommerce Add Ribbon Shortcode add-ribbon Admin Amplify wpr-admin-amplify Advanced Video Player with Analytics advanced-video-player-with-analytics Adventure Bucket List adventure-bucket-list AgendaPress – Easily Publish Meeting Agendas and Programs on WordPress agendapress Ajax Content Filter ajax-content-filter Alert Me!
Update Thu Nov 7 14:29:30 UTC 2024
Update Thu Nov 7 14:29:30 UTC 2024
NA - CVE-2024-9946 - The Social Share, Social Login and Social...
The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.13.68. This is due...
CVE-2024-9946
The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.13.68. Gravedad 3.1 (CVSS 3.1 Base Score)
CVE-2024-9946 - WordPress Super Socializer Social Login Token Authentication Bypass
CVE ID : CVE-2024-9946 Published : Nov. 6, 2024, 7:15 a.m. 50 minutes ago Description : The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.13.68. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they have access to the email and the user does not have an already-existing account for the service returning the token. An attacker cannot authenticate as an administrator by default, but these accounts are also at risk if authentication for administrators has explicitly been allowed via the social login.
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI