Heateor Social Login WordPress <= 1.1.35 - Authentication Bypass via Disqus OAuth provider

Vulnerability

The Heateor Social Login WordPress plugin (slug: social-login) is vulnerable to authentication bypass in all versions up to and including 1.1.35 [1]. The flaw lies in insufficient verification of the user returned by the social login token. Attackers can authenticate as any existing user on the site if they have access to the user's email address and the user does not already have an account for the service that returned the token.

Exploitation

An unauthenticated attacker can exploit this vulnerability by obtaining the email address of a target user. The attacker then uses a social login provider to generate a token with that email. Due to insufficient verification, the plugin accepts the token and logs the attacker in as the target user. By default, authentication as an administrator is not possible unless the plugin configuration explicitly allows admin authentication.

Impact

Successful exploitation allows the attacker to gain unauthorized access to any user account on the WordPress site, including subscriber, contributor, or other roles. If administrator authentication is enabled via the plugin settings, admin accounts are also at risk. The attacker can then perform actions as that user, potentially leading to data theft, content manipulation, or further privilege escalation.

Mitigation

The plugin has been closed and removed from the WordPress.org plugin directory as of June 6, 2018, with no patched version available [1]. Users who have the plugin installed should uninstall it immediately and consider using an alternative social login plugin that is actively maintained.