CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6637 – WooCommerce - Social Login <= 2.7.3 - Unauthenticated Privilege Escalation via One-Time Password
https://notcve.org/view.php?id=CVE-2024-6637
The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthenticated privilege escalation in all versions up to, and including, 2.7.3. This is due to a lack of brute force controls on a weak one-time password. This makes it possible for unauthenticated attackers to brute force the one-time password for any user, except an Administrator, if they know the email of user. El complemento WooCommerce - Social Login para WordPress es vulnerable a una escalada de privilegios no autenticados en todas las versiones hasta la 2.7.3 incluida. Esto se debe a la falta de controles de fuerza bruta sobre una contraseña de un solo uso débil. • https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883 https://www.wordfence.com/threat-intel/vulnerabilities/id/10d92d5e-1c23-4f6a-bfab-0756876190a5?source=cve • CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6635 – WooCommerce - Social Login <= 2.7.3 - Unauthenticated Authentication Bypass
https://notcve.org/view.php?id=CVE-2024-6635
The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.3. This is due to insufficient controls in the 'woo_slg_login_email' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, excluding an administrator, if they know the email of user. El complemento WooCommerce - Social Login para WordPress es vulnerable a la omisión de autenticación en versiones hasta la 2.7.3 incluida. Esto se debe a controles insuficientes en la función 'woo_slg_login_email'. • https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883 https://www.wordfence.com/threat-intel/vulnerabilities/id/37836722-eb25-4393-8cdf-91057642ba3f?source=cve • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6636 – WooCommerce - Social Login <= 2.7.3 - Missing Authorization to Unauthenticated Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-6636
The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'woo_slg_login_email' function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to change the default role to Administrator while registering for an account. El complemento WooCommerce - Social Login para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función 'woo_slg_login_email' en todas las versiones hasta la 2.7.3 incluida. Esto hace posible que atacantes no autenticados cambien la función predeterminada a Administrador mientras se registran para obtener una cuenta. • https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883 https://www.wordfence.com/threat-intel/vulnerabilities/id/77ea4ba8-6c13-494a-92e3-12643003635b?source=cve • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5871 – WooCommerce - Social Login <= 2.6.2 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-5871
The WooCommerce - Social Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.2 via deserialization of untrusted input from the 'woo_slg_verify' vulnerable parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. El complemento WooCommerce - Social Login para WordPress es vulnerable a la inyección de objetos PHP en todas las versiones hasta la 2.6.2 incluida a través de la deserialización de entradas no confiables del parámetro vulnerable 'woo_slg_verify'. • https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883 https://www.wordfence.com/threat-intel/vulnerabilities/id/ffd592e6-2ac4-4af4-bfc0-d4f834157d71?source=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5868 – WooCommerce - Social Login <= 2.6.2 - Email Verification due to Insufficient Randomness
https://notcve.org/view.php?id=CVE-2024-5868
The WooCommerce - Social Login plugin for WordPress is vulnerable to Email Verification in all versions up to, and including, 2.6.2 via the use of insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification. El complemento WooCommerce - Social Login para WordPress es vulnerable a la verificación de correo electrónico en todas las versiones hasta la 2.6.2 incluida mediante el uso de un código de activación insuficientemente aleatorio. Esto hace posible que atacantes no autenticados omitan la verificación por correo electrónico. • https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883 https://www.wordfence.com/threat-intel/vulnerabilities/id/97fbbf5b-d3c7-47ce-b251-ce1fe38af152?source=cve • CWE-330: Use of Insufficiently Random Values •