CVE-2024-10114: 
WordPress vulnerability analysis and mitigation

The WooCommerce - Social Login plugin for WordPress contains an authentication bypass vulnerability (CVE-2024-10114) affecting all versions up to and including 2.7.7. The vulnerability was discovered and disclosed in November 2024. The issue affects the social login functionality of the plugin, which is used to enable social media authentication in WordPress installations (NVD).

The vulnerability stems from insufficient verification of users being returned by social login tokens. This security flaw allows unauthenticated attackers to potentially log in as any existing user on the site, including administrators, if they have access to the email and the user does not have an existing account for the service returning the token. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to bypass authentication mechanisms and potentially gain unauthorized access to any existing user account on the affected WordPress site, including administrator accounts. This could lead to complete site compromise, unauthorized access to sensitive information, and potential modification of site content (NVD).

The vulnerability has been patched in version 2.7.8 of the WooCommerce - Social Login plugin. Site administrators are strongly advised to update their installations to this version or later. The fix addresses the insufficient verification issue in the social login token handling (Changelog).