OAuth Single Sign On – SSO (OAuth Client) < 6.26.15 – Missing Authorization | CVE 2025-10753 | Plugin Vulnerabilities

Description

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. This is due to missing capability checks and authentication verification on the OAuth redirect functionality accessible via the 'oauthredirect' option parameter. This makes it possible for unauthenticated attackers to set the global redirect URL option via the redirect_url parameter granted they can access the site directly.

Affects Plugins

miniorange-login-with-eve-online-google-facebook

Fixed in 6.26.15

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/915e1a6e-ad9c-4849-8ae0-3ded18720a1f

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Jonas Benjamin Friedli

Verified

No

WPVDB ID

99ca5cdf-2efb-4bff-9ef4-e953ed9e1b4c

Timeline

Publicly Published

2026-02-05 (about 4 months ago)

Added

2026-02-05 (about 4 months ago)

Last Updated

2026-02-06 (about 4 months ago)

Other

Published

Title

Published

2025-05-16

Title

CSS3 Accordions for WordPress < 3.1 - Missing Authorization

Published

2024-05-21

Title

WP Scraper < 5.8 - Missing Authorization to Arbitrary Page/Post Creation

Published

2024-02-02

Title

PowerPack Pro for Elementor < 2.10.8 - Missing Authorization to Settings Reset

Published

2025-04-01

Title

OpenAI Tools for WordPress & WooCommerce <= 2.1.5 - Missing Authorization

Published

2025-10-23

Title

Originality.ai AI Checker <= 1.0.16 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'ai_get_table'