PatchSiren cyber security CVE debrief
CVE-2026-12761 cyberlord92 CVE debrief
The miniOrange Social Login and Register plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Completion flow accepting an arbitrary email address via the 'email_field' POST parameter without verifying that the email belongs to the identity returned by the OAuth provider, combined with send_otp_token() returning the SHA-512(customer_key || otp) transaction hash to the client where the OTP space is only 99,000 values (wp_rand(1000, 99999)) and the customer_key is a static option (empty on unregistered installs).
- Vendor
- cyberlord92
- Product
- miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Administrators of WordPress installations using the miniOrange Social Login and Register plugin, especially those with versions up to and including 7.7.0, should be aware of this vulnerability and take immediate action to protect their sites.
Technical summary
The vulnerability exists in the Profile Completion flow of the miniOrange Social Login and Register plugin. An attacker can submit an arbitrary email address via the 'email_field' POST parameter, which is not verified against the OAuth provider's identity. The send_otp_token() function returns a SHA-512 hash of the customer key and OTP, which can be cracked offline in under a second due to the limited OTP space (wp_rand(1000, 99999)). The cracked OTP can then be submitted to mo_openid_social_login_validate_otp(), allowing the attacker to log in as the user whose email was supplied, granting full administrator access.
Defensive priority
High
Recommended defensive actions
- Update the miniOrange Social Login and Register plugin to a version beyond 7.7.0.
- Implement additional authentication mechanisms to verify email addresses against OAuth provider identities.
- Monitor for suspicious login attempts and OTP requests.
- Consider using a Web Application Firewall (WAF) to detect and prevent exploitation attempts.
- Regularly review and update plugins and themes to ensure the latest security patches are applied.
Evidence notes
The CVE record was published on 2026-07-10T21:16:53.160Z and has not been modified since then. The NVD entry is currently 9.8 CRITICAL. Multiple references are provided, including links to the plugin's source code and a Wordfence threat intelligence report.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T21:16:53.160Z and has not been modified since then. The NVD entry is currently 9.8 CRITICAL.