WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Simple Single Sign On <= 4.1.0 - Authentication Bypass

Description

The plugin leaks its OAuth client_secret, which could be used by attackers to gain unauthorized access to the site.

Proof of Concept

When we click the "Single Sign On" button, the plugin redirects us to the OAuth server to authenticate ourselves if we are not logged in.

The button invokes the following URL:
https://lana.solutions/vdb/oauth-client/?auth=sso

The client plugin redirects us to the following URL:
https://lana.solutions/vdb/oauth-server/?oauth=authorize&response_type=code&client_id=A7h8AfabvPH462WLGbcD6Ljb8IOE2tR9uDJva2TW&client_secret=ufMq5A63dGKOxW335SXyQKCNcumxZ2ZILnFk1Mil&redirect_uri=https%3A%2F%2Flana.solutions%2Fvdb%2Foauth-client%2F%3Fauth%3Dsso&state=https%3A%2F%2Flana.solutions%2Fvdb%2Foauth-client

The URL contains the "client_secret" code that can be used to request an access token with client credentials grant type authentication.

Exploit script: https://gist.github.com/lana-codes/d5c9c3a79ae50d742df719bf20d9d0ea

Affects Plugins

single-sign-on-client
No known fix - plugin closed

References

CVE
CVE-2022-2083
URL
https://lana.codes/lanavdb/0bab7575-45fc-432d-945e-6100c35c574c/

Classification

Type

AUTHBYPASS

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website
https://lana.codes/
Submitter twitter
lanacodes
Verified

Yes

WPVDB ID
2bbfc855-6901-462f-8a93-120d7fb5d268

Timeline

Publicly Published

2022-08-09 (about 9 months ago)

Added

2022-08-09 (about 9 months ago)

Last Updated

2023-05-07 (about 27 days ago)

Our Other Services

WPScan WordPress Security Plugin