Search
Find a vulnerability
Search criteria
8 vulnerabilities found for oauth_single_sign_on by miniorange
CVE-2022-34155 (GCVE-0-2022-34155)
Vulnerability from nvd – Published: 2023-07-18 13:41 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress OAuth Single Sign On – SSO (OAuth Client) Plugin <= 6.23.3 is vulnerable to Broken Authentication
Summary
Improper Authentication vulnerability in miniOrange OAuth Single Sign On – SSO (OAuth Client) plugin allows Authentication Bypass.This issue affects OAuth Single Sign On – SSO (OAuth Client): from n/a through 6.23.3.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/min… | vdb-entry |
| https://lana.codes/lanavdb/071fa6eb-2e54-43a1-b37… | third-party-advisorytechnical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| miniOrange | OAuth Single Sign On – SSO (OAuth Client) |
Affected:
n/a , ≤ 6.23.3
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:16:17.114Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/miniorange-login-with-eve-online-google-facebook/wordpress-oauth-single-sign-on-sso-oauth-client-plugin-6-23-3-broken-authentication-vulnerability?_s_id=cve"
},
{
"tags": [
"third-party-advisory",
"technical-description",
"x_transferred"
],
"url": "https://lana.codes/lanavdb/071fa6eb-2e54-43a1-b37f-1e562988b7d4?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-34155",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T16:32:31.654159Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T16:32:41.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "miniorange-login-with-eve-online-google-facebook",
"product": "OAuth Single Sign On \u2013 SSO (OAuth Client)",
"vendor": "miniOrange",
"versions": [
{
"changes": [
{
"at": "6.23.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.23.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Lana Codes (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authentication vulnerability in miniOrange OAuth Single Sign On \u2013 SSO (OAuth Client) plugin allows Authentication Bypass.\u003cp\u003eThis issue affects OAuth Single Sign On \u2013 SSO (OAuth Client): from n/a through 6.23.3.\u003c/p\u003e"
}
],
"value": "Improper Authentication vulnerability in miniOrange OAuth Single Sign On \u2013 SSO (OAuth Client) plugin allows Authentication Bypass.This issue affects OAuth Single Sign On \u2013 SSO (OAuth Client): from n/a through 6.23.3."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:44.244Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/miniorange-login-with-eve-online-google-facebook/wordpress-oauth-single-sign-on-sso-oauth-client-plugin-6-23-3-broken-authentication-vulnerability?_s_id=cve"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://lana.codes/lanavdb/071fa6eb-2e54-43a1-b37f-1e562988b7d4?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u00a06.23.4 or a higher version."
}
],
"value": "Update to\u00a06.23.4 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress OAuth Single Sign On \u2013 SSO (OAuth Client) Plugin \u003c= 6.23.3 is vulnerable to Broken Authentication",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-34155",
"datePublished": "2023-07-18T13:41:59.369Z",
"dateReserved": "2022-06-30T08:55:45.281Z",
"dateUpdated": "2026-04-28T16:07:44.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-1093 (GCVE-0-2023-1093)
Vulnerability from nvd – Published: 2023-03-27 15:37 – Updated: 2025-02-19 20:16
VLAI
Title
OAuth Single Sign On - SSO (OAuth Client) < 6.24.2 - IdP Discard via CSRF
Summary
The OAuth Single Sign On WordPress plugin before 6.24.2 does not have CSRF checks when discarding Identify providers (IdP), which could allow attackers to make logged in admins delete all IdP via a CSRF attack
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/1e13b9ea-a3ef-48… | exploitvdb-entrytechnical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | OAuth Single Sign On |
Affected:
0 , < 6.24.2
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:32:46.344Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/1e13b9ea-a3ef-483b-b967-6ec14bd6d54d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-1093",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T20:16:43.184400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T20:16:48.586Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "OAuth Single Sign On",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.24.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erwan LR (WPScan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The OAuth Single Sign On WordPress plugin before 6.24.2 does not have CSRF checks when discarding Identify providers (IdP), which could allow attackers to make logged in admins delete all IdP via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T15:37:22.994Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/1e13b9ea-a3ef-483b-b967-6ec14bd6d54d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OAuth Single Sign On - SSO (OAuth Client) \u003c 6.24.2 - IdP Discard via CSRF",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2023-1093",
"datePublished": "2023-03-27T15:37:22.994Z",
"dateReserved": "2023-02-28T14:35:38.935Z",
"dateUpdated": "2025-02-19T20:16:48.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-1092 (GCVE-0-2023-1092)
Vulnerability from nvd – Published: 2023-03-27 15:39 – Updated: 2025-02-19 16:49
VLAI
Title
OAuth Single Sign On - SSO (OAuth Client) - IdP Deletion via CSRF
Summary
The OAuth Single Sign On Free WordPress plugin before 6.24.2, OAuth Single Sign On Standard WordPress plugin before 28.4.9, OAuth Single Sign On Premium WordPress plugin before 38.4.9 and OAuth Single Sign On Enterprise WordPress plugin before 48.4.9 do not have CSRF checks when deleting Identity Providers (IdP), which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/8fbf7efe-0bf2-42… | exploitvdb-entrytechnical-description |
| https://wpscan.com/vulnerability/f6e165d9-2193-4c… | exploitvdb-entrytechnical-description |
| https://wpscan.com/vulnerability/52e29f16-b6dd-41… | exploitvdb-entrytechnical-description |
| https://wpscan.com/vulnerability/5eb85df5-8aab-4f… | exploitvdb-entrytechnical-description |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| MiniOrange | OAuth Single Sign On Free |
Affected:
0 , < 6.24.2
(custom)
|
|
| MiniOrange | OAuth Single Sign On Standard |
Affected:
0 , < 28.4.9
(custom)
|
|
| MiniOrange | OAuth Single Sign On Premium |
Affected:
0 , < 38.4.9
(custom)
|
|
| MiniOrange | OAuth Single Sign On Enterprise |
Affected:
0 , < 48.4.9
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:32:46.374Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/8fbf7efe-0bf2-42c6-aef1-7fcf2708b31b"
},
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/f6e165d9-2193-4c76-ae2d-618a739fe4fb"
},
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/52e29f16-b6dd-4132-9bb8-ad10bd3c39d7"
},
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/5eb85df5-8aab-4f30-a401-f776a310b09c"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-1092",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T16:48:34.457467Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T16:49:01.199Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "OAuth Single Sign On Free",
"vendor": "MiniOrange",
"versions": [
{
"lessThan": "6.24.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "OAuth Single Sign On Standard",
"vendor": "MiniOrange",
"versions": [
{
"lessThan": "28.4.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "OAuth Single Sign On Premium",
"vendor": "MiniOrange",
"versions": [
{
"lessThan": "38.4.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "OAuth Single Sign On Enterprise",
"vendor": "MiniOrange",
"versions": [
{
"lessThan": "48.4.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Thuc Tuyen"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The OAuth Single Sign On Free WordPress plugin before 6.24.2, OAuth Single Sign On Standard WordPress plugin before 28.4.9, OAuth Single Sign On Premium WordPress plugin before 38.4.9 and OAuth Single Sign On Enterprise WordPress plugin before 48.4.9 do not have CSRF checks when deleting Identity Providers (IdP), which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T15:39:36.079Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/8fbf7efe-0bf2-42c6-aef1-7fcf2708b31b"
},
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/f6e165d9-2193-4c76-ae2d-618a739fe4fb"
},
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/52e29f16-b6dd-4132-9bb8-ad10bd3c39d7"
},
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/5eb85df5-8aab-4f30-a401-f776a310b09c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OAuth Single Sign On - SSO (OAuth Client) - IdP Deletion via CSRF",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2023-1092",
"datePublished": "2023-03-27T15:39:36.079Z",
"dateReserved": "2023-02-28T14:30:57.803Z",
"dateUpdated": "2025-02-19T16:49:01.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2133 (GCVE-0-2022-2133)
Vulnerability from nvd – Published: 2022-07-17 10:36 – Updated: 2024-08-03 00:24
VLAI
Title
OAuth Single Sign On < 6.22.6 - Authentication Bypass
Summary
The OAuth Single Sign On WordPress plugin before 6.22.6 doesn't validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user's email address.
Severity
No CVSS data available.
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/e76939ca-180f-44… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | OAuth Single Sign On – SSO (OAuth Client) |
Affected:
6.22.6 , < 6.22.6
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:44.224Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/e76939ca-180f-4472-a26a-e0c36cfd32de"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OAuth Single Sign On \u2013 SSO (OAuth Client)",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.22.6",
"status": "affected",
"version": "6.22.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Lana Codes"
}
],
"descriptions": [
{
"lang": "en",
"value": "The OAuth Single Sign On WordPress plugin before 6.22.6 doesn\u0027t validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user\u0027s email address."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-17T10:36:17.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/e76939ca-180f-4472-a26a-e0c36cfd32de"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OAuth Single Sign On \u003c 6.22.6 - Authentication Bypass",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-2133",
"STATE": "PUBLIC",
"TITLE": "OAuth Single Sign On \u003c 6.22.6 - Authentication Bypass"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OAuth Single Sign On \u2013 SSO (OAuth Client)",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.22.6",
"version_value": "6.22.6"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Lana Codes"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The OAuth Single Sign On WordPress plugin before 6.22.6 doesn\u0027t validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user\u0027s email address."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/e76939ca-180f-4472-a26a-e0c36cfd32de",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/e76939ca-180f-4472-a26a-e0c36cfd32de"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2133",
"datePublished": "2022-07-17T10:36:17.000Z",
"dateReserved": "2022-06-20T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:24:44.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-34155 (GCVE-0-2022-34155)
Vulnerability from cvelistv5 – Published: 2023-07-18 13:41 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress OAuth Single Sign On – SSO (OAuth Client) Plugin <= 6.23.3 is vulnerable to Broken Authentication
Summary
Improper Authentication vulnerability in miniOrange OAuth Single Sign On – SSO (OAuth Client) plugin allows Authentication Bypass.This issue affects OAuth Single Sign On – SSO (OAuth Client): from n/a through 6.23.3.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/min… | vdb-entry |
| https://lana.codes/lanavdb/071fa6eb-2e54-43a1-b37… | third-party-advisorytechnical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| miniOrange | OAuth Single Sign On – SSO (OAuth Client) |
Affected:
n/a , ≤ 6.23.3
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:16:17.114Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/miniorange-login-with-eve-online-google-facebook/wordpress-oauth-single-sign-on-sso-oauth-client-plugin-6-23-3-broken-authentication-vulnerability?_s_id=cve"
},
{
"tags": [
"third-party-advisory",
"technical-description",
"x_transferred"
],
"url": "https://lana.codes/lanavdb/071fa6eb-2e54-43a1-b37f-1e562988b7d4?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-34155",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T16:32:31.654159Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T16:32:41.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "miniorange-login-with-eve-online-google-facebook",
"product": "OAuth Single Sign On \u2013 SSO (OAuth Client)",
"vendor": "miniOrange",
"versions": [
{
"changes": [
{
"at": "6.23.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.23.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Lana Codes (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authentication vulnerability in miniOrange OAuth Single Sign On \u2013 SSO (OAuth Client) plugin allows Authentication Bypass.\u003cp\u003eThis issue affects OAuth Single Sign On \u2013 SSO (OAuth Client): from n/a through 6.23.3.\u003c/p\u003e"
}
],
"value": "Improper Authentication vulnerability in miniOrange OAuth Single Sign On \u2013 SSO (OAuth Client) plugin allows Authentication Bypass.This issue affects OAuth Single Sign On \u2013 SSO (OAuth Client): from n/a through 6.23.3."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:44.244Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/miniorange-login-with-eve-online-google-facebook/wordpress-oauth-single-sign-on-sso-oauth-client-plugin-6-23-3-broken-authentication-vulnerability?_s_id=cve"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://lana.codes/lanavdb/071fa6eb-2e54-43a1-b37f-1e562988b7d4?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u00a06.23.4 or a higher version."
}
],
"value": "Update to\u00a06.23.4 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress OAuth Single Sign On \u2013 SSO (OAuth Client) Plugin \u003c= 6.23.3 is vulnerable to Broken Authentication",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-34155",
"datePublished": "2023-07-18T13:41:59.369Z",
"dateReserved": "2022-06-30T08:55:45.281Z",
"dateUpdated": "2026-04-28T16:07:44.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-1092 (GCVE-0-2023-1092)
Vulnerability from cvelistv5 – Published: 2023-03-27 15:39 – Updated: 2025-02-19 16:49
VLAI
Title
OAuth Single Sign On - SSO (OAuth Client) - IdP Deletion via CSRF
Summary
The OAuth Single Sign On Free WordPress plugin before 6.24.2, OAuth Single Sign On Standard WordPress plugin before 28.4.9, OAuth Single Sign On Premium WordPress plugin before 38.4.9 and OAuth Single Sign On Enterprise WordPress plugin before 48.4.9 do not have CSRF checks when deleting Identity Providers (IdP), which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/8fbf7efe-0bf2-42… | exploitvdb-entrytechnical-description |
| https://wpscan.com/vulnerability/f6e165d9-2193-4c… | exploitvdb-entrytechnical-description |
| https://wpscan.com/vulnerability/52e29f16-b6dd-41… | exploitvdb-entrytechnical-description |
| https://wpscan.com/vulnerability/5eb85df5-8aab-4f… | exploitvdb-entrytechnical-description |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| MiniOrange | OAuth Single Sign On Free |
Affected:
0 , < 6.24.2
(custom)
|
|
| MiniOrange | OAuth Single Sign On Standard |
Affected:
0 , < 28.4.9
(custom)
|
|
| MiniOrange | OAuth Single Sign On Premium |
Affected:
0 , < 38.4.9
(custom)
|
|
| MiniOrange | OAuth Single Sign On Enterprise |
Affected:
0 , < 48.4.9
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:32:46.374Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/8fbf7efe-0bf2-42c6-aef1-7fcf2708b31b"
},
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/f6e165d9-2193-4c76-ae2d-618a739fe4fb"
},
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/52e29f16-b6dd-4132-9bb8-ad10bd3c39d7"
},
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/5eb85df5-8aab-4f30-a401-f776a310b09c"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-1092",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T16:48:34.457467Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T16:49:01.199Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "OAuth Single Sign On Free",
"vendor": "MiniOrange",
"versions": [
{
"lessThan": "6.24.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "OAuth Single Sign On Standard",
"vendor": "MiniOrange",
"versions": [
{
"lessThan": "28.4.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "OAuth Single Sign On Premium",
"vendor": "MiniOrange",
"versions": [
{
"lessThan": "38.4.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "OAuth Single Sign On Enterprise",
"vendor": "MiniOrange",
"versions": [
{
"lessThan": "48.4.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Thuc Tuyen"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The OAuth Single Sign On Free WordPress plugin before 6.24.2, OAuth Single Sign On Standard WordPress plugin before 28.4.9, OAuth Single Sign On Premium WordPress plugin before 38.4.9 and OAuth Single Sign On Enterprise WordPress plugin before 48.4.9 do not have CSRF checks when deleting Identity Providers (IdP), which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T15:39:36.079Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/8fbf7efe-0bf2-42c6-aef1-7fcf2708b31b"
},
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/f6e165d9-2193-4c76-ae2d-618a739fe4fb"
},
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/52e29f16-b6dd-4132-9bb8-ad10bd3c39d7"
},
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/5eb85df5-8aab-4f30-a401-f776a310b09c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OAuth Single Sign On - SSO (OAuth Client) - IdP Deletion via CSRF",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2023-1092",
"datePublished": "2023-03-27T15:39:36.079Z",
"dateReserved": "2023-02-28T14:30:57.803Z",
"dateUpdated": "2025-02-19T16:49:01.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-1093 (GCVE-0-2023-1093)
Vulnerability from cvelistv5 – Published: 2023-03-27 15:37 – Updated: 2025-02-19 20:16
VLAI
Title
OAuth Single Sign On - SSO (OAuth Client) < 6.24.2 - IdP Discard via CSRF
Summary
The OAuth Single Sign On WordPress plugin before 6.24.2 does not have CSRF checks when discarding Identify providers (IdP), which could allow attackers to make logged in admins delete all IdP via a CSRF attack
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/1e13b9ea-a3ef-48… | exploitvdb-entrytechnical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | OAuth Single Sign On |
Affected:
0 , < 6.24.2
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:32:46.344Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/1e13b9ea-a3ef-483b-b967-6ec14bd6d54d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-1093",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T20:16:43.184400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T20:16:48.586Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "OAuth Single Sign On",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.24.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erwan LR (WPScan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The OAuth Single Sign On WordPress plugin before 6.24.2 does not have CSRF checks when discarding Identify providers (IdP), which could allow attackers to make logged in admins delete all IdP via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T15:37:22.994Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/1e13b9ea-a3ef-483b-b967-6ec14bd6d54d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OAuth Single Sign On - SSO (OAuth Client) \u003c 6.24.2 - IdP Discard via CSRF",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2023-1093",
"datePublished": "2023-03-27T15:37:22.994Z",
"dateReserved": "2023-02-28T14:35:38.935Z",
"dateUpdated": "2025-02-19T20:16:48.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2133 (GCVE-0-2022-2133)
Vulnerability from cvelistv5 – Published: 2022-07-17 10:36 – Updated: 2024-08-03 00:24
VLAI
Title
OAuth Single Sign On < 6.22.6 - Authentication Bypass
Summary
The OAuth Single Sign On WordPress plugin before 6.22.6 doesn't validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user's email address.
Severity
No CVSS data available.
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/e76939ca-180f-44… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | OAuth Single Sign On – SSO (OAuth Client) |
Affected:
6.22.6 , < 6.22.6
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:44.224Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/e76939ca-180f-4472-a26a-e0c36cfd32de"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OAuth Single Sign On \u2013 SSO (OAuth Client)",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.22.6",
"status": "affected",
"version": "6.22.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Lana Codes"
}
],
"descriptions": [
{
"lang": "en",
"value": "The OAuth Single Sign On WordPress plugin before 6.22.6 doesn\u0027t validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user\u0027s email address."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-17T10:36:17.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/e76939ca-180f-4472-a26a-e0c36cfd32de"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OAuth Single Sign On \u003c 6.22.6 - Authentication Bypass",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-2133",
"STATE": "PUBLIC",
"TITLE": "OAuth Single Sign On \u003c 6.22.6 - Authentication Bypass"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OAuth Single Sign On \u2013 SSO (OAuth Client)",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.22.6",
"version_value": "6.22.6"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Lana Codes"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The OAuth Single Sign On WordPress plugin before 6.22.6 doesn\u0027t validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user\u0027s email address."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/e76939ca-180f-4472-a26a-e0c36cfd32de",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/e76939ca-180f-4472-a26a-e0c36cfd32de"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2133",
"datePublished": "2022-07-17T10:36:17.000Z",
"dateReserved": "2022-06-20T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:24:44.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}