CVE-2022-3477 is a critical security vulnerability identified in the tagDiv Composer WordPress plugin, specifically versions before 3.5. This plugin is a core component required by the popular Newspaper WordPress theme (versions before 12.1) and Newsmag WordPress theme (versions before 5.2.2). The vulnerability arises from improper authentication (CWE-287) in the implementation of the Facebook login feature. Due to flawed validation logic, an unauthenticated attacker can bypass normal authentication controls and log in as any user simply by knowing their email address. This means that no password or additional authentication factors are required, and no user interaction is needed. The vulnerability has a CVSS v3.1 base score of 9.8, indicating critical severity, with attack vector being network-based, no privileges required, no user interaction needed, and full impact on confidentiality, integrity, and availability. Exploiting this flaw allows an attacker to fully compromise user accounts, potentially including administrative accounts, leading to unauthorized access, data theft, content manipulation, or complete site takeover. Although no known exploits in the wild have been reported yet, the ease of exploitation and the critical impact make this a high-risk vulnerability for WordPress sites using the affected themes and plugin versions. The vulnerability was published on November 14, 2022, and is tracked by WPScan and CISA. No official patch links were provided in the data, but upgrading to tagDiv Composer 3.5 or later and the corresponding theme versions is essential to remediate this issue.

For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress sites built with the Newspaper or Newsmag themes, which are widely used for news, media, and content publishing. Successful exploitation can lead to unauthorized access to sensitive user data, defacement of websites, injection of malicious content, or use of compromised sites as a platform for further attacks such as phishing or malware distribution. This can result in reputational damage, loss of customer trust, regulatory non-compliance (e.g., GDPR violations due to data breaches), and financial losses. Given the critical nature of the vulnerability and the fact that it requires only an email address to exploit, attackers can target high-profile European media outlets or corporate blogs to disrupt operations or steal confidential information. The impact extends beyond just the compromised website, as attackers could leverage access to pivot into internal networks if the WordPress instance is integrated with other enterprise systems.

To mitigate this vulnerability, European organizations should immediately verify if they are using affected versions of the tagDiv Composer plugin and the Newspaper or Newsmag themes. The primary mitigation is to upgrade tagDiv Composer to version 3.5 or later, and update the Newspaper theme to version 12.1 or later, and Newsmag theme to version 5.2.2 or later, where the authentication flaw has been fixed. If immediate upgrades are not feasible, temporarily disabling the Facebook login feature within the plugin settings can reduce exposure. Additionally, organizations should implement monitoring for unusual login activities, especially logins without corresponding password authentication. Enforcing multi-factor authentication (MFA) on WordPress accounts, where possible, adds an additional layer of defense. Regularly auditing user accounts and removing inactive or suspicious accounts can limit potential damage. Web application firewalls (WAFs) with custom rules to detect and block suspicious login attempts based on email enumeration patterns may also help. Finally, maintaining regular backups of website data ensures recovery in case of compromise.