CRITICAL
cyberlord92
CVE published 2026-07-10
CVE-2026-12761
The miniOrange Social Login and Register plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Completion flow accepting an arbitrary email address via the 'email_field' POST parameter without verifying that the email belongs to the identity returned by the OAuth provider, combined with send_otp_token() ret [truncated]