WordPress Plugin Vulnerabilities

OAuth Single Sign On - SSO (OAuth Client) < 6.24.2 - IdP Discard via CSRF

Description

The plugin does not have CSRF checks when discarding Identify providers (IdP), which could allow attackers to make logged in admins delete all IdP via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
miniorange-login-with-eve-online-google-facebook
Fixed in 6.24.2

References

CVE
CVE-2023-1093

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Submitter
Erwan LR (WPScan)
Submitter website
https://wpscan.com
Verified
Yes
WPVDB ID
1e13b9ea-a3ef-483b-b967-6ec14bd6d54d

Timeline

Publicly Published
2023-02-28 (about 2 years ago)
Added
2023-02-28 (about 2 years ago)
Last Updated
2023-02-28 (about 2 years ago)

Other

Published
Title
Published
2021-07-20
Title
Elementor Addon Elements < 1.11.8 - CSRF Bypass
Published
2023-01-20
Title
Contact Us page - Contact people LITE < 3.7.1 - Contact Update/Deletion/Creation via CSRF
Published
2016-08-15
Title
Photo Gallery by Supsystic < 1.8.6 - Arbitrary Image Adding via CSRF
Published
2014-09-17
Title
Disqus < 2.79 - Cross-Site Request Forgery (CSRF)
Published
2024-05-30
Title
Uploadcare File Uploader and Adaptive Delivery (beta) < 3.1.0 - Cross-Site Request Forgery