Site icon Fix I.T. Phill – Your Go-To Tech Guru

miniOrange Social Login CVE-2026-12761: Patch WordPress Auth Bypass

WordPress miniOrange Social Login CVE-2026-12761 patch checklist for account protection

WordPress miniOrange Social Login CVE-2026-12761 patch checklist for account protection

Update for July 10, 2026 at 22:00 UTC: NVD published CVE-2026-12761, a critical authentication-bypass issue affecting the miniOrange Social Login and Register WordPress plugin in versions up to and including 7.7.0.

This is a WordPress account-protection issue. If a site uses the miniOrange social login plugin for Google, Discord, Twitter/X, LinkedIn, or other identity-provider sign-ins, the site owner should update the plugin and review administrator accounts the same day.

Who Is Affected

WordPress.org lists the plugin slug as miniorange-login-openid. During this pass, WordPress.org reported the current plugin version as 7.8.0 with roughly 10,000+ active installs.

What To Do Now

  1. Take a full site backup before changing authentication plugins.
  2. Update miniOrange Social Login and Register to the current WordPress.org version, currently 7.8.0.
  3. If the site cannot update immediately, disable social login temporarily and require standard WordPress login until maintenance is complete.
  4. Check administrator, editor, shop manager, membership, and customer-support accounts for unexpected additions or role changes.
  5. Ask high-privilege users to reset passwords and re-check two-factor settings after the plugin update.
  6. Test customer login, checkout, membership access, password reset, and any SSO-dependent workflow after caches are cleared.

Hosting And Agency Checklist

Exploitation Status

CISA KEV did not add this CVE during the 22:00 UTC pass. NVD rates it critical, and the source is Wordfence. That is enough to treat the issue as urgent for sites using the plugin, even without a KEV entry.

FixItPhill Guidance

Do not wait for a normal monthly plugin maintenance window on this one. Authentication-bypass flaws in login plugins can turn into account takeover and customer-data exposure quickly. Back up, patch, clear caches, test login flows, and review high-privilege accounts before marking the site clean.

If a site no longer needs social login, this is also a good time to remove the plugin entirely after confirming no customer workflow depends on it.

Exit mobile version