CVE-2026-57751
Heateor · Heateor Social Login
An unauthenticated Cross-Site Request Forgery (CSRF) vulnerability in the Heateor Social Login plugin allows attackers to perform unauthorized actions on behalf of users.
Executive summary
An unauthenticated Cross-Site Request Forgery (CSRF) vulnerability in the Heateor Social Login plugin exposes users to unauthorized actions and potential account compromise.
Vulnerability
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw that allows an attacker to trick an authenticated user into performing unintended actions. Because the vulnerability is reachable without authentication, it can be leveraged to manipulate plugin settings or user sessions through malicious links.
Business impact
By inducing users to perform actions without their consent, attackers could modify site configurations or compromise individual accounts. A CVSS score of 8.1 highlights the severity of this risk, which could lead to unauthorized administrative changes or widespread disruption of the service for legitimate users.
Remediation
Immediate Action: Upgrade to the latest version of the Heateor Social Login plugin to incorporate required CSRF protection tokens.
Proactive Monitoring: Monitor for unusual administrative activity or changes to plugin settings occurring without clear authorization from trusted personnel.
Compensating Controls: Ensure the implementation of strict SameSite cookie attributes and consider utilizing a WAF to inspect requests for missing or invalid CSRF tokens.
Exploitation status
Public Exploit Available: false
Analyst recommendation
CSRF vulnerabilities are frequently used to gain unauthorized control over web applications. Given the high severity of this vulnerability, administrators should ensure the Heateor Social Login plugin is updated immediately to the latest patched version to secure the application against unauthorized state-changing requests.