A critical vulnerability has been identified in the miniOrange WordPress Social Login and Register plugin, a widely used tool for managing user logins. This flaw allows an unauthenticated remote attacker to include and execute arbitrary files on the server, potentially leading to a complete takeover of the affected website. Given the critical severity (CVSS 9.8), this vulnerability poses a significant risk of data theft, website defacement, and further network compromise.

The vulnerability is a Local File Inclusion (LFI) flaw within the plugin. The application fails to properly sanitize user-supplied input that is used to construct a file path for an include or require PHP statement. An unauthenticated remote attacker can craft a malicious request containing directory traversal sequences (e.g., ../) to force the application to include a local file on the server. If the attacker can also upload a file with malicious PHP code (e.g., disguised as an image) or poison a log file, they can trick the application into executing this code, resulting in Remote Code Execution (RCE) with the privileges of the web server process.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the web server hosting the WordPress site. The potential business impact includes, but is not limited to, theft of sensitive data such as customer information and database credentials, unauthorized modification of the website (defacement), installation of persistent backdoors or malware, and using the compromised server to launch further attacks. Such an incident can result in significant financial loss, reputational damage, and potential regulatory penalties.

Immediate Action: Immediately update the miniOrange WordPress Social Login and Register plugin to the latest version available (a version later than 7.7.0) which contains the security patch for this vulnerability. After patching, carefully review web server and application access logs for any evidence of exploitation attempts that may have occurred prior to the update.

Proactive Monitoring:

• Log Analysis: Scrutinize web server access logs for suspicious GET or POST requests containing directory traversal patterns (../, ..\/), absolute file paths (/etc/passwd), or PHP wrappers (php://filter, php://input).
• File Integrity Monitoring: Implement or review file integrity monitoring alerts for unexpected changes or the creation of new files (especially .php files) in web-accessible directories.
• Network Traffic: Monitor for unusual outbound connections from the web server, which could indicate a successful compromise and communication with a command-and-control server.

Compensating Controls: If patching cannot be performed immediately, consider the following temporary measures:

• Disable the Plugin: Deactivate and disable the miniOrange WordPress Social Login and Register plugin until it can be safely updated.
• Web Application Firewall (WAF): Deploy a WAF with a robust ruleset designed to detect and block LFI and directory traversal attack patterns.
• Harden PHP: Ensure PHP configuration is hardened by setting allow_url_include to Off. While this vulnerability is primarily an LFI, this control prevents a common escalation path.

Public Exploit Available: False (as of Dec 30, 2025)

Due to the critical severity (CVSS 9.8) of this vulnerability and the high likelihood of it leading to a full system compromise, immediate action is required. All organizations using the miniOrange WordPress Social Login and Register plugin must prioritize updating to the latest patched version without delay. Although this vulnerability is not currently listed on the CISA KEV catalog, its impact is severe enough that it should be treated with the highest urgency. A failure to patch promptly exposes the organization to a significant risk of a security breach.