CVE-2026-12761
cyberlord92 · miniOrange Social Login and Register
The miniOrange Social Login and Register plugin for WordPress is vulnerable to unauthenticated account takeover via flawed OAuth email validation and predictable OTP transaction hashing.
Executive summary
An unauthenticated account takeover vulnerability in the miniOrange Social Login and Register plugin allows attackers to gain full administrative access to WordPress sites.
Vulnerability
This vulnerability allows unauthenticated attackers to manipulate the Profile Completion flow by supplying an arbitrary email address and cracking a predictable OTP token hash to authenticate as any user, including administrators.
Business impact
Successful exploitation results in full administrative compromise of the WordPress instance. Given the CVSS score of 9.8, this represents a critical risk, as an attacker can gain complete control over the site, modify content, inject malicious scripts, or exfiltrate sensitive user data, leading to severe reputational damage and potential regulatory non-compliance.
Remediation
Immediate Action: Update the miniOrange Social Login and Register plugin to the latest available version immediately.
Proactive Monitoring: Review WordPress user account logs for unexpected administrative account creations or unauthorized password resets.
Compensating Controls: Implement a Web Application Firewall (WAF) with rules designed to block suspicious POST requests to the profile completion and OTP validation endpoints.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This vulnerability poses a critical threat to the integrity and security of the affected WordPress environment. Administrators must prioritize updating this plugin to the latest version to close the authentication bypass vector and prevent unauthorized administrative access.