Impact
The Heateor Social Login WordPress plugin contains an unauthenticated Cross Site Request Forgery flaw. An attacker can craft a malicious HTTP request that a logged‑in user will unknowingly send, causing the plugin to perform privileged actions such as account modification or content alteration. The vulnerability stems from missing or incorrect validation of CSRF tokens, a weakness identified as CWE‑352.
Affected Systems
All installations of the Heateor Social Login plugin with versions 1.1.39 or earlier, distributed by Heateor Support, are affected. Any WordPress site that uses these versions is susceptible to the flaw.
Risk and Exploitability
With a CVSS score of 8.1, the vulnerability is considered high severity. The EPSS score is not available and the issue is not listed in the CISA KEV catalog. The likely attack vector is a classic CSRF route: an attacker crafts a request and coerces an authenticated user to visit it, allowing the attack without any credential compromise. Because the flaw does not require authentication on the server side, exploitation is straightforward once the victim’s session cookie is active.
OpenCVE Enrichment