CVE-2024-6637: WooCommerce Social Login Escalation Flaw

CVE-2024-6637 Overview

CVE-2024-6637 affects the WooCommerce - Social Login plugin for WordPress, published by wpwebelite. The vulnerability allows unauthenticated attackers to brute force a weak one-time password (OTP) used for authentication. The flaw exists in all versions up to and including 2.7.3. Because the plugin lacks brute force controls on this OTP, an attacker who knows a target user's email address can guess the OTP and log in as that user. Administrator accounts are excluded from the attack, but any other role can be hijacked. The issue is tracked under CWE-305: Authentication Bypass by Primary Weakness.

Critical Impact
Unauthenticated attackers can take over arbitrary non-administrator WordPress accounts by brute forcing a weak one-time password, leading to privilege escalation and account compromise.

Affected Products

WooCommerce - Social Login plugin for WordPress (wpwebelite:woocommerce_social_login)
All versions up to and including 2.7.3
WordPress sites running WooCommerce with this plugin enabled

Discovery Timeline

2024-07-20 - CVE-2024-6637 published to NVD
2025-02-11 - Last updated in NVD database

Technical Details for CVE-2024-6637

Vulnerability Analysis

The WooCommerce - Social Login plugin issues a one-time password as part of its authentication flow. The OTP has insufficient entropy and the plugin does not rate limit or lock out repeated authentication attempts. An attacker who knows the email address of a registered user can submit OTP guesses until one succeeds. Because authentication succeeds without any other credential, a successful guess yields a logged-in session as that user.

The attack runs over the network, requires no authentication, and requires no user interaction. The only prerequisite is the target's email address, which is often discoverable through author archives, comment metadata, or leaked datasets.

Root Cause

The root cause is twofold. First, the OTP generation is weak, producing a value with a small enough keyspace to be guessable. Second, the plugin lacks brute force controls such as attempt counters, account lockouts, CAPTCHA, or progressive delays. These two weaknesses combine to allow unbounded automated guessing of the OTP. This pattern maps to CWE-305, where the primary authentication mechanism can be bypassed by exploiting its weakness.

Attack Vector

An attacker enumerates or harvests a target email address from public sources. The attacker then triggers the social login OTP flow for that email and submits automated requests against the OTP verification endpoint. With no rate limiting in place, the attacker iterates through the OTP keyspace until the server accepts the guess. Once authenticated, the attacker holds the same role as the victim, which may include Shop Manager, Editor, Author, or Customer with stored payment data. The vulnerability cannot be used against Administrator accounts.

The vulnerability is described in prose rather than code because no verified public proof-of-concept is available. See the Wordfence Vulnerability Report for additional technical detail.

Detection Methods for CVE-2024-6637

Indicators of Compromise

High volume of POST requests to the WooCommerce Social Login OTP verification endpoint from a single IP or distributed source
Multiple failed OTP submissions for the same email address within a short window
Successful logins immediately following a burst of OTP requests for the same account
New WordPress sessions for non-administrator users from unfamiliar IP addresses or geolocations

Detection Strategies

Inspect WordPress and web server access logs for repeated requests to social login OTP endpoints associated with the woocommerce_social_login plugin
Correlate authentication success events with prior failed OTP attempts on the same account
Alert on user role changes, profile email changes, or password resets following OTP login activity

Monitoring Recommendations

Forward WordPress authentication and plugin logs to a centralized logging or SIEM platform for correlation
Monitor for abnormal request rates against /wp-admin/admin-ajax.php actions tied to the plugin
Track outbound activity from web hosts for signs of post-compromise actions such as content modification or data exfiltration

How to Mitigate CVE-2024-6637

Immediate Actions Required

Update the WooCommerce - Social Login plugin to a version later than 2.7.3 once released by the vendor
If no fixed version is available, deactivate and remove the plugin from affected WordPress installations
Force a password reset for all non-administrator accounts that may have been targeted
Audit recent login activity and user role changes for signs of unauthorized access

Patch Information

At the time of publication, the vendor wpwebelite had not published a fixed version reference in the NVD entry. Administrators should consult the CodeCanyon plugin page and the Wordfence Vulnerability Report for current patch status before updating.

Workarounds

Deploy a Web Application Firewall (WAF) rule that rate limits requests to the plugin's OTP verification endpoint
Restrict access to WordPress login and AJAX endpoints by IP where feasible
Enforce multi-factor authentication on all WordPress accounts using a separate MFA plugin
Disable the social login feature until a patched plugin version is installed

bash

# Example NGINX rate limit for WordPress AJAX endpoint
limit_req_zone $binary_remote_addr zone=wp_ajax:10m rate=10r/m;

location = /wp-admin/admin-ajax.php {
    limit_req zone=wp_ajax burst=5 nodelay;
    include fastcgi_params;
    fastcgi_pass php_upstream;
}