CVE-2026-22337

Directorist · Social Login

An Incorrect Privilege Assignment vulnerability in the Directorist Social Login plugin allows for privilege escalation due to insufficient authorization checks.

Executive summary

The Directorist Social Login plugin is vulnerable to a critical privilege escalation flaw that could allow unauthorized users to gain elevated administrative access.

Vulnerability

This vulnerability involves incorrect privilege assignment within the Social Login component. While the specific authentication requirement is not explicitly detailed as "unauthenticated," the nature of privilege escalation flaws in WordPress plugins typically allows an authenticated user to bypass intended role restrictions.

Business impact

The ability to escalate privileges poses a severe risk to the integrity and confidentiality of the WordPress environment. An attacker with elevated access could modify site configurations, inject malicious content, or exfiltrate sensitive user data. With a CVSS score of 9.8, this vulnerability represents a critical risk that could lead to a total site compromise.

Remediation

Immediate Action: Update the Directorist Social Login plugin to version 2.1.4 or later immediately.

Proactive Monitoring: Review WordPress user access logs for any anomalous account creation or unexpected changes to user role assignments.

Compensating Controls: Implement a Web Application Firewall (WAF) to monitor for suspicious requests targeting plugin-specific authentication or user management endpoints.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the critical CVSS severity, administrators must prioritize patching this plugin immediately. Failure to address this vulnerability leaves the application susceptible to full administrative takeover by malicious actors.