Main Vulnerability Database Vulnerabilities #VU92117

#VU92117 Missing Authentication for Critical Function in BP Social Connect - CVE-2023-2704

Published: June 14, 2024

Vulnerability identifier: #VU92117

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2023-2704

CWE-ID: CWE-306

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
BP Social Connect

Software vendor:
VibeThemes

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The vulnerability exists due to insufficient verification on the user being supplied during a Facebook login through the plugin. A remote unauthenticated attacker can bypass security restrictions on the target system and log in as any existing user on the site, such as an administrator.

Remediation

Install updates from vendor's website.

External links

https://www.wordfence.com/threat-intel/vulnerabilities/id/44c96df2-530a-4ebe-b722-c606a7b135f9?source=cve
https://plugins.trac.wordpress.org/browser/bp-social-connect/tags/1.5/includes/social/facebook/class.facebook.php#L138
https://plugins.trac.wordpress.org/browser/bp-social-connect/tags/1.5/includes/social/facebook/class.facebook.php#L188
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2914042%40bp-social-connect%2Ftrunk&old=1904372%40bp-social-connect%2Ftrunk&sfp_email=&sfph_mail=#file6
https://lana.codes/lanavdb/1bd0dfd9-ffec-4d69-bc55-286751300cab/

#VU92117 Missing Authentication for Critical Function in BP Social Connect - CVE-2023-2704

Description

Remediation

External links

Please verify you're human