WordPress Plugin Vulnerabilities
Simple Single Sign On <= 4.1.0 - Authentication Bypass
Description
The plugin leaks its OAuth client_secret, which could be used by attackers to gain unauthorized access to the site.
Proof of Concept
When we click the "Single Sign On" button, the plugin redirects us to the OAuth server to authenticate ourselves if we are not logged in. The button invokes the following URL: https://lana.solutions/vdb/oauth-client/?auth=sso The client plugin redirects us to the following URL: https://lana.solutions/vdb/oauth-server/?oauth=authorize&response_type=code&client_id=A7h8AfabvPH462WLGbcD6Ljb8IOE2tR9uDJva2TW&client_secret=ufMq5A63dGKOxW335SXyQKCNcumxZ2ZILnFk1Mil&redirect_uri=https%3A%2F%2Flana.solutions%2Fvdb%2Foauth-client%2F%3Fauth%3Dsso&state=https%3A%2F%2Flana.solutions%2Fvdb%2Foauth-client The URL contains the "client_secret" code that can be used to request an access token with client credentials grant type authentication. Exploit script: https://gist.github.com/lana-codes/d5c9c3a79ae50d742df719bf20d9d0ea
Affects Plugins
No known fix References
Classification
Type
AUTHBYPASS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-08-09 (about 1 years ago)
Added
2022-08-09 (about 1 years ago)
Last Updated
2023-05-07 (about 7 months ago)
WPScan 