CVE-2026-12761

cyberlord92 · miniOrange Social Login and Register

The miniOrange Social Login and Register plugin for WordPress is vulnerable to unauthenticated account takeover via flawed OAuth email validation and predictable OTP transaction hashing.

Executive summary

An unauthenticated account takeover vulnerability in the miniOrange Social Login and Register plugin allows attackers to gain full administrative access to WordPress sites.

Vulnerability

This vulnerability allows unauthenticated attackers to manipulate the Profile Completion flow by supplying an arbitrary email address and cracking a predictable OTP token hash to authenticate as any user, including administrators.

Business impact

Successful exploitation results in full administrative compromise of the WordPress instance. Given the CVSS score of 9.8, this represents a critical risk, as an attacker can gain complete control over the site, modify content, inject malicious scripts, or exfiltrate sensitive user data, leading to severe reputational damage and potential regulatory non-compliance.

Remediation

Immediate Action: Update the miniOrange Social Login and Register plugin to the latest available version immediately.

Proactive Monitoring: Review WordPress user account logs for unexpected administrative account creations or unauthorized password resets.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules designed to block suspicious POST requests to the profile completion and OTP validation endpoints.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability poses a critical threat to the integrity and security of the affected WordPress environment. Administrators must prioritize updating this plugin to the latest version to close the authentication bypass vector and prevent unauthorized administrative access.