CVE-2024-6637

HIGH

WooCommerce - Social Login <2.7.3 - Privilege Escalation

Title source: llm

Description

The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthenticated privilege escalation in all versions up to, and including, 2.7.3. This is due to a lack of brute force controls on a weak one-time password. This makes it possible for unauthenticated attackers to brute force the one-time password for any user, except an Administrator, if they know the email of user.

References (2)

[Product] https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/10d92d5e-1c23-4f6a-bfab-0756876190a5?source=cve

Scores

CVSS v3 7.3

EPSS 0.0054

EPSS Percentile 67.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-305

Status published

Products (2)

WPWeb/WooCommerce - Social Login < 2.7.3

wpwebelite/woocommerce_social_login < 2.7.4

Published Jul 20, 2024

Tracked Since Feb 18, 2026