Cross-Site Scripting in miniOrange SAML SP Single Sign On Plugin for WordPress
CVE-2019-12346

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Saml Sp Single Sign On
Vendor: CVE Published:; 24 June 2019

What is CVE-2019-12346?

The miniOrange SAML SP Single Sign On plugin for WordPress prior to version 4.8.73 is susceptible to a Cross-Site Scripting (XSS) flaw. An attacker can exploit this vulnerability by sending a specially crafted SAMLResponse XML post to the SAML Login Endpoint, allowing for unauthorized actions in the context of the affected user session. This vulnerability poses a significant risk to site security, as it may enable attackers to execute malicious scripts in the browser of unsuspecting users.

References

https://zeroauth.ltd/blog/2019/05/27/cve-2019-12346-minio...

x_refsource_MISC

https://wpvulndb.com/vulnerabilities/9397

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2019
Vulnerability Reserved
May 27, 2019

Wordpress

What is CVE-2019-12346?

References

CVSS V3.1

Timeline