Analysis Summary

CVE-2024-10020 CVSS:8.1

The Heateor Social Login WordPress plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.1.35. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they have access to the email and the user does not have an already-existing account for the service returning the token.

CVE-2024-10263 CVSS:7.3

The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

CVE-2024-10114 CVSS:8.1

The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.7.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.

Impact

• Code Execution
• Gain Access

Indicators of Compromise

CVE

• CVE-2024-10020
• CVE-2024-10263
• CVE-2024-10114

Affected Vendors

Remediation

Upgrade to the latest version, available from the WordPress Plugin Directory.

CVE-2024-10020

CVE-2024-10263

CVE-2024-10114