CVE-2022-3477: 
WordPress vulnerability analysis and mitigation

CVE-2022-3477 is a critical authentication bypass vulnerability discovered in the tagDiv Composer WordPress plugin versions below 3.5. The vulnerability was publicly disclosed on October 24, 2022, and affects the plugin's Facebook login feature implementation. The issue impacts not only the plugin itself but also themes that require it, including Newspaper (fixed in 12.1) and Newsmag (fixed in 5.2.2). The vulnerability was discovered and reported by Truoc Phan from Techlab Corporation (WPScan).

The vulnerability stems from improper implementation of the Facebook login feature in the tagDiv Composer plugin. It has been assigned a CVSS score of 10.0 (Critical) and is classified under CWE-287. The vulnerability falls under the OWASP Top 10 category A2: Broken Authentication and Session Management. The technical nature of the flaw allows unauthenticated attackers to bypass authentication controls by exploiting the tdajaxfbloginuser action (WPScan).

The vulnerability allows unauthenticated attackers to gain unauthorized access to any user account on affected WordPress installations by merely knowing the target user's email address. This could lead to complete account takeover and potential privilege escalation, especially if the targeted account has administrative privileges (WPScan).

The vulnerability has been patched in tagDiv Composer version 3.5. Users of affected installations should immediately upgrade to this version or later. Additionally, the associated themes Newspaper and Newsmag should be updated to versions 12.1 and 5.2.2 respectively to ensure complete protection (WPScan).