miniOrange Social Login CVE-2026-12761: Patch WordPress Auth Bypass

NVD published critical CVE-2026-12761 for the miniOrange Social Login WordPress plugin. Update to the current version and review privileged accounts.
WordPress miniOrange Social Login CVE-2026-12761 patch checklist for account protection

Update for July 10, 2026 at 22:00 UTC: NVD published CVE-2026-12761, a critical authentication-bypass issue affecting the miniOrange Social Login and Register WordPress plugin in versions up to and including 7.7.0.

This is a WordPress account-protection issue. If a site uses the miniOrange social login plugin for Google, Discord, Twitter/X, LinkedIn, or other identity-provider sign-ins, the site owner should update the plugin and review administrator accounts the same day.

Who Is Affected

  • WordPress sites running miniOrange Social Login and Register through version 7.7.0.
  • Sites that allow social login or registration for customers, members, students, staff, or administrators.
  • WooCommerce, membership, LMS, support portal, agency, and client-dashboard sites where account ownership matters.

WordPress.org lists the plugin slug as miniorange-login-openid. During this pass, WordPress.org reported the current plugin version as 7.8.0 with roughly 10,000+ active installs.

What To Do Now

  1. Take a full site backup before changing authentication plugins.
  2. Update miniOrange Social Login and Register to the current WordPress.org version, currently 7.8.0.
  3. If the site cannot update immediately, disable social login temporarily and require standard WordPress login until maintenance is complete.
  4. Check administrator, editor, shop manager, membership, and customer-support accounts for unexpected additions or role changes.
  5. Ask high-privilege users to reset passwords and re-check two-factor settings after the plugin update.
  6. Test customer login, checkout, membership access, password reset, and any SSO-dependent workflow after caches are cleared.

Hosting And Agency Checklist

  • Search managed WordPress sites for the miniorange-login-openid plugin slug.
  • Prioritize sites that allow open registration, customer accounts, subscriptions, LMS access, private downloads, or admin-facing portals.
  • Patch staging first when the site has custom login redirects, role mapping, membership rules, or WooCommerce account customizations.
  • After patching, review recent users, role changes, login logs, password resets, and unfamiliar connected-provider settings.
  • Notify affected site owners that social login was updated for account-takeover risk and that privileged account review is recommended.

Exploitation Status

CISA KEV did not add this CVE during the 22:00 UTC pass. NVD rates it critical, and the source is Wordfence. That is enough to treat the issue as urgent for sites using the plugin, even without a KEV entry.

FixItPhill Guidance

Do not wait for a normal monthly plugin maintenance window on this one. Authentication-bypass flaws in login plugins can turn into account takeover and customer-data exposure quickly. Back up, patch, clear caches, test login flows, and review high-privilege accounts before marking the site clean.

If a site no longer needs social login, this is also a good time to remove the plugin entirely after confirming no customer workflow depends on it.

Picture of admin

admin

Leave a Reply

About Us

Fix I.T. Phill is a site dedicated to sharing knowledge freely to the public.  Use our Contact Us Form to submit new requests for tutorials that we will get up and ready for you ASAP!

Recent Posts

Follow Us

Sign up for our Newsletter

Get the latest information on what is going on in the I.T. World.