CVE-2024-7503: 
WordPress vulnerability analysis and mitigation

The WooCommerce - Social Login plugin for WordPress contains an authentication bypass vulnerability (CVE-2024-7503) affecting versions up to and including 2.7.5. The vulnerability was discovered and reported by Wordfence, with public disclosure on August 12, 2024 (NVD).

The vulnerability stems from the use of loose comparison of the activation code in the 'wooslgconfirmemailuser' function. This implementation flaw has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and CWE-288 (Authentication Bypass Using an Alternate Path or Channel) (NVD, Wordfence Advisory).

The vulnerability allows unauthenticated attackers to log in as any existing user on the site, including administrators, if they have access to the userID. This attack vector is particularly dangerous when the email module is enabled, potentially leading to complete site compromise (NVD).

Users of the WooCommerce - Social Login plugin should immediately update to a version newer than 2.7.5 to address this vulnerability. If immediate updating is not possible, it is recommended to disable the email module as a temporary mitigation measure (NVD).