Severity
High
Analysis Summary
CVE-2024-10020 CVSS:8.1
The Heateor Social Login WordPress plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.1.35. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they have access to the email and the user does not have an already-existing account for the service returning the token.
CVE-2024-10263 CVSS:7.3
The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
CVE-2024-10114 CVSS:8.1
The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.7.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
Impact
- Code Execution
- Gain Access
Indicators of Compromise
CVE
- CVE-2024-10020
- CVE-2024-10263
- CVE-2024-10114
Affected Vendors
Affected Products
- Heateor Social Login WordPress - *
- Tickera – WordPress Event Ticketing - *
- WooCommerce - Social Login - *
Remediation
Upgrade to the latest version, available from the WordPress Plugin Directory.