Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange WordPress Social Login and Register miniorange-login-openid allows PHP Local File Inclusion.This issue affects WordPress Social Login and Register: from n/a through <= 7.7.0.
Published: 2025-12-30
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of filename for include/require in PHP (CWE‑98). It allows an attacker to instruct the plugin to include arbitrary local files, which can lead to disclosure of sensitive configuration information or, in some cases, execution of arbitrary PHP code. The impact therefore includes confidentiality, integrity, and potentially availability risks to the affected WordPress site.

Affected Systems

The flaw affects the miniOrange WordPress Social Login and Register plugin for WordPress, versions from the initial released version through 7.7.0. Any WordPress site that has this plugin installed and has not upgraded beyond 7.7.0 is vulnerable.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate severity. The EPSS score of less than 1% shows a low probability of exploitation at the time of the assessment, and the issue is not listed in the CISA KEV catalog. The likely attack vector is remote, where an attacker sends a crafted request that manipulates the include path within the plugin’s login or registration flow. Successful exploitation could allow the attacker to read system files or execute PHP code on the server.

Generated by OpenCVE AI on April 29, 2026 at 15:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available update for the miniOrange WordPress Social Login and Register plugin (7.7.1 or newer).
  • If an immediate update is not possible, uninstall or deactivate the vulnerable plugin until a fix is available.
  • Configure your web server or PHP environment to restrict file inclusion, such as setting open_basedir to limit accessible directories and disabling direct access to PHP files in the plugin’s directories.

Generated by OpenCVE AI on April 29, 2026 at 15:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Miniorange
Miniorange social Login
Miniorange wordpress Social Login And Register (discord, Google, Twitter, Linkedin)
Wordpress
Wordpress wordpress
Vendors & Products Miniorange
Miniorange social Login
Miniorange wordpress Social Login And Register (discord, Google, Twitter, Linkedin)
Wordpress
Wordpress wordpress

Tue, 30 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange WordPress Social Login and Register miniorange-login-openid allows PHP Local File Inclusion.This issue affects WordPress Social Login and Register: from n/a through <= 7.7.0.
Title WordPress WordPress Social Login and Register plugin <= 7.7.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Miniorange Social Login Wordpress Social Login And Register (discord, Google, Twitter, Linkedin)
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:33.450Z

Reserved: 2025-12-29T11:17:52.921Z

Link: CVE-2025-68974

cve-icon Vulnrichment

Updated: 2025-12-30T21:52:36.534Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T11:15:55.893

Modified: 2026-04-27T19:16:38.300

Link: CVE-2025-68974

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T15:15:14Z

Weaknesses