The plugin does not have CSRF checks when discarding Identify providers (IdP), which could allow attackers to make logged in admins delete all IdP via a CSRF attack
Make a logged in admin open: https://example.com/wp-admin/admin.php?page=mo_oauth_settings&tab=config&action=discard
Erwan LR (WPScan)
Erwan LR (WPScan)
Yes
2023-02-28 (about 7 months ago)
2023-02-28 (about 7 months ago)
2023-02-28 (about 7 months ago)