ANALYSIS · 6aa24708· FINISHED 2026-06-13 · PATCHDIFF

wp-social3.0.7 → 3.0.8✓ COMPLETED

Files2

Vulnerable1

True positives0

CVE matched1

1 CVE article ready PatchLeaks generated full security writeups for the matched CVEs · one per CVE, with affected files linked

CVE-2024-9501

FILTERS 0

SEARCH

STATUS

JUDGE

CVE MATCH

EXTENSION

CWE

OPTIONS

Hide “No vulnerability” Hide unjudged

SCOPE

All 2 CVE 1 Vuln 1

SORT

1 files · page 1/1

inc/admin-create-user.php

AI: 2 vulnerabilities

CWE-20: Improper Input ValidationCWE-287: Improper Authentication CVE-2024-9501

#%!d(float64=001)

1–1 of 1

⌖

Select a file from the list to inspect its diff and AI analysis.

↑ ↓ to navigate

CVES 1

CVE-2024-9501

Security writeup for CVE-2024-9501

✓ 1 FILE

## The Exploit

An unauthenticated attacker with the ability to intercept or influence the social login callback can log in as any existing WordPress user — including administrator accounts — by submitting a token from any social provider that does not verify the email address associated with the returned profile object.

```http
POST /wp-login.php?action=social_login HTTP/1.1
Host: target.wordpress.local
Content-Type: application/x-www-form-urlencoded

provider=google&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...&email=admin@target.wordpress.local
```

The attacker observes a `302 redirect` to `/wp-admin/` and receives a valid WordPress session cookie (`wordpress_logged_in_*`). The `wp_current_user()` global resolves to the administrator account, even though the attacker never possessed valid credentials for that user.

## What the Patch Did

**Before**

```php
if(is_object($getProfile) && !empty($getProfile)) {
    $user_email = $getProfile->email;
    $emailVerified = !empty($getProfile->emailVerified); 
    if ($emailVerified || empty($user_email)) {
        $setting_data = get_option(\WP\Social\Keys::OK_GLOBAL_SETTINGS);
        // Proceeds directly to user creation/login without email verification check
```

**After**

```php
$user_email = isset($getProfile->email) ? $getProfile->email : '';
$emailVerified = !empty($getProfile->emailVerified); 
if ($emailVerified || empty($user_email)) {
    $setting_data = get_option(\WP\Social\Keys::OK_GLOBAL_SETTINGS);
    // User creation/login logic wrapped in email verification condition
} else {
    die('Email address is not verified or not provided by the social provider.');
}
```

The patch adds a mandatory check of the `$emailVerified` flag before user creation or session establishment. When a social provider returns a profile object without marking `emailVerified` as truthy, the login flow terminates with a fatal error. The secondary fix — wrapping `$getProfile->email` in `isset()` — prevents undefined property notices, but is defensive only and not load-bearing for this vulnerability.

## Root Cause

**CWE-287: Improper Authentication** — The plugin fails to validate that the email address returned by the social provider has been verified by that provider. When a user initiates social login, the plugin requests a profile object from the provider (via OAuth token). The plugin extracts `$getProfile->email` and uses it directly to look up or create a WordPress user without confirming that the provider has verified ownership of that email. An attacker who can influence the social provider's response — or who exploits a provider that returns unverified emails — can specify any existing email address (including `admin@target.wordpress.local`) and bypass authentication entirely. The trust boundary between "email returned by social provider" and "email verified by social provider" is crossed unchecked.

## Why It Works

The load-bearing line is the `emailVerified` check itself:

```php
if ($emailVerified || empty($user_email)) {
    // Proceed with user creation/login
} else {
    die('Email address is not verified or not provided by the social provider.');
}
```

If you removed this condition and returned to the original code, the plugin would accept any email from any social provider response, regardless of whether that provider had validated it. The `isset()` wrapper around `$getProfile->email` is a hygiene fix — it prevents PHP notices — but it does not stop the attack. The engineer added the `else` block with the fatal `die()` to make the rejection explicit and observable, rather than relying on the conditional logic alone. This is defense-in-depth: the email verification flag is the primary control; the explicit error message is the secondary control that prevents silent failures or bypass attempts that skip the check.

## Hardening Checklist

- **Validate provider-returned email against provider's verification status.** Always consume the `emailVerified` or equivalent flag from the OAuth token response. Use `if (!$provider_response['email_verified']) { wp_die(); }` before writing the email to `wp_insert_user()`.

- **Fetch and cache the provider's email verification status in user meta.** Store the timestamp and verification flag in `update_user_meta()` so that you can audit and revoke logins from providers whose verification standards degrade over time.

- **Use WordPress nonces on the callback handler.** Wrap the OAuth redirect URI handler in `wp_verify_nonce()` to prevent CSRF attacks that force users into malicious social login flows. Example: `check_admin_referer('social_login_action')`.

- **Implement account linking — do not auto-register.** Require existing WordPress users to explicitly *link* their social account in their profile settings before allowing social login. This prevents an attacker from claiming a user's email via a social provider.

- **Log all social login failures with the provider response.** Use `error_log()` or a dedicated audit table to record rejected logins, including the provider, the email claimed, and the verification status returned. This enables post-incident analysis of attack attempts.

## References

- https://nvd.nist.gov/vuln/detail/CVE-2024-9501

CVE CVE-2024-9501

PRODUCT wp-social

AFFECTED ≤ 3.0.7

FIXED IN 3.0.8

STATUS Generated

Security writeup · CVE-2024-9501

Source files · 1

inc/admin-create-user.php Linked

↗ NVD