CVE-2026-12761 in miniOrange Social Login and Register Plugininfo

Summary

by MITRE • 07/10/2026

The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Completion flow accepting an arbitrary email address via the 'email_field' POST parameter without verifying that the email belongs to the identity returned by the OAuth provider, combined with send_otp_token() returning the SHA-512(customer_key || otp) transaction hash to the client where the OTP space is only 99,000 values (wp_rand(1000, 99999)) and the customer_key is a static option (empty on unregistered installs). This makes it possible for unauthenticated attackers to trigger an OTP email to an arbitrary admin's address, crack the OTP offline from the leaked hash in under a second, and submit the cracked OTP to mo_openid_social_login_validate_otp(), which logs the attacker in as the user whose email was supplied — granting full administrator access.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The miniOrange Social Login and Register plugin for WordPress presents a critical authentication bypass vulnerability that enables full account takeover across multiple social login providers including Discord, Google, Twitter, and LinkedIn. This vulnerability affects all versions up to and including 7.7.0 and stems from a fundamental flaw in the profile completion workflow where the system accepts arbitrary email addresses through the 'email_field' POST parameter without proper verification against the OAuth provider's identity assertions. The vulnerability operates through a sophisticated attack chain that exploits weaknesses in both authentication validation and one-time password generation mechanisms.

The technical exploitation begins with the plugin's failure to validate email address ownership during the social login process, allowing attackers to supply any email address regardless of whether it corresponds to the authenticated user from the OAuth provider. This flaw is compounded by the send_otp_token() function which exposes a SHA-512 hash containing customer_key concatenated with the OTP value directly to the client. The vulnerability becomes particularly dangerous due to the limited OTP space of only 99,000 possible values generated using wp_rand(1000, 99999), combined with the static nature of customer_key which remains empty on unregistered installations. This combination creates a highly predictable cryptographic environment where offline brute force attacks can successfully crack the OTP within seconds.

The operational impact of this vulnerability is severe as it provides unauthenticated attackers with complete administrative access to WordPress sites using the plugin. Attackers can trigger OTP emails to arbitrary administrator addresses, leverage the exposed transaction hashes to quickly crack the one-time passwords through offline dictionary attacks, and then submit valid OTPs to the mo_openid_social_login_validate_otp() function to achieve full authentication bypass. This vulnerability directly maps to CWE-287 (Improper Authentication) and aligns with ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) as it enables attackers to impersonate legitimate users through social login integration.

Organizations should immediately update to the latest plugin version where this vulnerability has been addressed through proper email verification during OAuth flows and strengthened OTP generation mechanisms. The mitigation strategy must include implementing proper input validation for email addresses, ensuring cryptographic randomness in OTP generation, and removing exposure of sensitive transaction hashes to client-side components. Additionally, administrators should review their WordPress installation's security posture by verifying that no other plugins suffer from similar authentication bypass vulnerabilities and implementing additional monitoring for suspicious login patterns or unauthorized account modifications. The vulnerability highlights the critical importance of proper OAuth integration practices where identity assertions from external providers must be strictly validated against user-provided information before any account binding operations occur, as recommended in OWASP's authentication security guidelines.

Responsible

Wordfence

Reservation

06/19/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!