WordPress Plugin Vulnerabilities

OAuth 2.0 client for SSO < 1.11.4 - Authenticated Bypass

Description

The plugin allows attackers to login as any user by just knowing their email address

Proof of Concept

Affects Plugins

Plugin icon
oauth-client
Fixed in 1.11.4

References

CVE
CVE-2022-34858

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Lana Codes
Verified
Yes
WPVDB ID
c713cdc1-327a-49e1-ad19-edbf8921b722

Timeline

Publicly Published
2022-06-21 (about 3 years ago)
Added
2022-08-19 (about 3 years ago)
Last Updated
2023-05-10 (about 3 years ago)

Other

Published
Title
Published
2025-12-04
Title
Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification < 2.0.45 - Authentication Bypass to Account Takeover
Published
2015-03-21
Title
WP Marketplace <= 2.4.0 - Arbitrary File Download
Published
2025-05-29
Title
Browse As <= 0.2 - Subscriber+ Authentication Bypass via Cookie
Published
2024-10-25
Title
Wux Blog Editor <= 3.0.0 - Authentication Bypass to Administrator
Published
2024-08-16
Title
Login As Users < 1.4.3 - Authentication Bypass