On May 28, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in miniOrange’s WordPress Social Login and Register plugin, which is actively installed on more than 30,000 WordPress websites. The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address.
Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on June 2, 2023. Sites still using the free version of Wordfence received the same protection on July 2, 2023.
Wordfence contacted miniOrange on May 30, 2023, and received a response on June 2, 2023. After they provided full disclosure details, the developer released the first patch, which still contained a vulnerability, in version 7.6.4 on June 12, 2023. A fully patched version, 7.6.5, was released on June 14, 2023.
We urge users to ensure their sites have been updated with the latest patched version of WordPress Social Login and Register, which is version 7.6.5 at the time of this writing, as soon as possible.
Source and more details: https://www.wordfence.com/blog/2023/06/miniorange-addresses-authentication-bypass-vulnerability-in-wordpress-social-login-and-register-wordpress-plugin