PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12761 cyberlord92 CVE debrief

The miniOrange Social Login and Register plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Completion flow accepting an arbitrary email address via the 'email_field' POST parameter without verifying that the email belongs to the identity returned by the OAuth provider, combined with send_otp_token() returning the SHA-512(customer_key || otp) transaction hash to the client where the OTP space is only 99,000 values (wp_rand(1000, 99999)) and the customer_key is a static option (empty on unregistered installs).

Vendor
cyberlord92
Product
miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Administrators of WordPress installations using the miniOrange Social Login and Register plugin, especially those with versions up to and including 7.7.0, should be aware of this vulnerability and take immediate action to protect their sites.

Technical summary

The vulnerability exists in the Profile Completion flow of the miniOrange Social Login and Register plugin. An attacker can submit an arbitrary email address via the 'email_field' POST parameter, which is not verified against the OAuth provider's identity. The send_otp_token() function returns a SHA-512 hash of the customer key and OTP, which can be cracked offline in under a second due to the limited OTP space (wp_rand(1000, 99999)). The cracked OTP can then be submitted to mo_openid_social_login_validate_otp(), allowing the attacker to log in as the user whose email was supplied, granting full administrator access.

Defensive priority

High

Recommended defensive actions

  • Update the miniOrange Social Login and Register plugin to a version beyond 7.7.0.
  • Implement additional authentication mechanisms to verify email addresses against OAuth provider identities.
  • Monitor for suspicious login attempts and OTP requests.
  • Consider using a Web Application Firewall (WAF) to detect and prevent exploitation attempts.
  • Regularly review and update plugins and themes to ensure the latest security patches are applied.

Evidence notes

The CVE record was published on 2026-07-10T21:16:53.160Z and has not been modified since then. The NVD entry is currently 9.8 CRITICAL. Multiple references are provided, including links to the plugin's source code and a Wordfence threat intelligence report.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T21:16:53.160Z and has not been modified since then. The NVD entry is currently 9.8 CRITICAL.