Lucene search

WPScanCVELIST:CVE-2022-3119

HistorySep 26, 2022 - 12:35 p.m.

CVE-2022-3119 OAuth client Single Sign On for WordPress < 3.0.4 - Unauthenticated Settings Update to Authentication Bypass

2022-09-2612:35:44

CWE-287

CWE-352

WPScan

www.cve.org

cve-2022-3119

oauth client

single sign on

wordpress

unauthenticated

settings update

authentication bypass

csrf

attackers

admin

email address

0.001 Low

EPSS

Percentile

40.0%

JSON

The OAuth client Single Sign On WordPress plugin before 3.0.4 does not have authorisation and CSRF when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to ones they controls, allowing them to then be authenticated as admin if they know the correct email address

CNA Affected

[
  {
    "product": "OAuth client Single Sign On for WordPress ( OAuth 2.0 SSO )",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "3.0.4",
        "status": "affected",
        "version": "3.0.4",
        "versionType": "custom"
      }
    ]
  }
]

References

wpscan.com/vulnerability/55b83cee-a8a5-4f9d-a976-a3eed9a558e5

0.001 Low

EPSS

Percentile

40.0%

JSON

Related for CVELIST:CVE-2022-3119