Authentication Bypass Vulnerability Affects WordPress Sites Using OAuth Client Plugin
CVE-2024-10111

8.1HIGH

Key Information:

Vendor: Wordpress
Status: Oauth Single Sign On – Sso (oauth Client)
Vendor: CVE Published:; 12 December 2024

Summary

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to an authentication bypass due to inadequate verification of the user returning from a social login token. This vulnerability affects all versions up to and including 6.26.3. Consequently, unauthenticated attackers can gain unauthorized access, logging in as any existing user on the platform, which potentially includes roles with administrative privileges. The flaw arises when the plugin does not properly validate users who authenticate through various social platforms, allowing access to accounts even if the attacker does not possess legitimate authentication credentials.

Affected Version(s)

OAuth Single Sign On – SSO (OAuth Client) * <= 6.26.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/miniorange-login-with-eve-o...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 12, 2024
Vulnerability Reserved
Oct 17, 2024

Credit

wesley