Description

WordPress Plugin Login as User or Customer is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently install arbitrary plugins. WordPress Plugin Login as User or Customer version 1.7 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.8 or latest

References

https://ithemes.com/wordpress-vulnerability-report-april-2021-part-4/

https://plugins.trac.wordpress.org/changeset/2494721/

Related Vulnerabilities

WordPress Plugin KJM Admin Notices Cross-Site Scripting (2.0.1)

WordPress Plugin WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) Unspecified Vulnerability (7.2)

WordPress Plugin NextGEN Gallery-WordPress Gallery Cross-Site Scripting and Cross-Site Request Forgery Vulnerabilities (1.8.3)

WordPress Plugin WooCommerce Upload My File Cross-Site Request Forgery (0.3.9)

Drupal Core 4.5.x Session Fixation (4.5.0 - 4.5.7)

Severity

High

Classification

CWE-264 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Tags

Missing Update Authentication Bypass