CVE-2024-9946: CWE-287 Improper Authentication in the_champ Social Share, Social Login and Social Comments Plugin – Super Socializer
The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.13.68. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they have access to the email and the user does not have an already-existing account for the service returning the token. An attacker cannot authenticate as an administrator by default, but these accounts are also at risk if authentication for administrators has explicitly been allowed via the social login. The vulnerability was partially patched in version 7.13.68.
AI Analysis
Technical Summary
CVE-2024-9946 is an improper authentication vulnerability (CWE-287) in the Super Socializer plugin for WordPress, affecting versions up to 7.13.68. The issue is due to insufficient verification of the user identity returned by social login tokens, enabling attackers with knowledge of a user's email to bypass authentication and log in as that user. Administrator accounts are not vulnerable by default but can be compromised if social login is enabled for them. A partial fix was introduced in version 7.13.68, but no full patch or official fix status is provided in the available data.
Potential Impact
Successful exploitation allows unauthenticated attackers to impersonate any existing user on the affected WordPress site, potentially leading to full compromise of user accounts. This includes high-impact consequences such as confidentiality, integrity, and availability breaches (CVSS impact metrics: High). Administrator accounts are protected by default but may be at risk if social login is enabled for them, increasing the potential impact.
Mitigation Recommendations
A partial patch was introduced in version 7.13.68, but no complete official fix or patch link is provided. Users should upgrade to at least version 7.13.68 to benefit from the partial remediation. Since the vulnerability involves social login token verification, administrators should consider disabling social login for administrator accounts until a full fix is confirmed. Patch status is not yet confirmed as fully resolved — check the vendor advisory for current remediation guidance.
CVE-2024-9946: CWE-287 Improper Authentication in the_champ Social Share, Social Login and Social Comments Plugin – Super Socializer
Description
The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.13.68. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they have access to the email and the user does not have an already-existing account for the service returning the token. An attacker cannot authenticate as an administrator by default, but these accounts are also at risk if authentication for administrators has explicitly been allowed via the social login. The vulnerability was partially patched in version 7.13.68.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-9946 is an improper authentication vulnerability (CWE-287) in the Super Socializer plugin for WordPress, affecting versions up to 7.13.68. The issue is due to insufficient verification of the user identity returned by social login tokens, enabling attackers with knowledge of a user's email to bypass authentication and log in as that user. Administrator accounts are not vulnerable by default but can be compromised if social login is enabled for them. A partial fix was introduced in version 7.13.68, but no full patch or official fix status is provided in the available data.
Potential Impact
Successful exploitation allows unauthenticated attackers to impersonate any existing user on the affected WordPress site, potentially leading to full compromise of user accounts. This includes high-impact consequences such as confidentiality, integrity, and availability breaches (CVSS impact metrics: High). Administrator accounts are protected by default but may be at risk if social login is enabled for them, increasing the potential impact.
Mitigation Recommendations
A partial patch was introduced in version 7.13.68, but no complete official fix or patch link is provided. Users should upgrade to at least version 7.13.68 to benefit from the partial remediation. Since the vulnerability involves social login token verification, administrators should consider disabling social login for administrator accounts until a full fix is confirmed. Patch status is not yet confirmed as fully resolved — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-10-14T18:14:13.495Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b65b7ef31ef0b554fce
Added to database: 2/25/2026, 9:36:37 PM
Last enriched: 4/9/2026, 8:51:31 AM
Last updated: 4/12/2026, 3:46:50 PM
Views: 22
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.