CVE-2023-1092

2023-03-2716:15:09

[email protected]

web.nvd.nist.gov

oauth

single sign on

wordpress

plugins

csrf

attack

admins

identity providers

csrf checks

delete

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

47.5%

JSON

The OAuth Single Sign On Free WordPress plugin before 6.24.2, OAuth Single Sign On Standard WordPress plugin before 28.4.9, OAuth Single Sign On Premium WordPress plugin before 38.4.9 and OAuth Single Sign On Enterprise WordPress plugin before 48.4.9 do not have CSRF checks when deleting Identity Providers (IdP), which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack

Affected configurations

Nvd

Node

miniorangeoauth_single_sign_onRange<6.24.2freewordpress

miniorangeoauth_single_sign_onRange<28.4.9standardwordpress

miniorangeoauth_single_sign_onRange<38.4.9premiumwordpress

miniorangeoauth_single_sign_onRange<48.4.9enterprisewordpress

VendorProductVersionCPE
miniorangeoauth_single_sign_on*cpe:2.3:a:miniorange:oauth_single_sign_on:*:*:*:*:free:wordpress:*:*
miniorangeoauth_single_sign_on*cpe:2.3:a:miniorange:oauth_single_sign_on:*:*:*:*:standard:wordpress:*:*
miniorangeoauth_single_sign_on*cpe:2.3:a:miniorange:oauth_single_sign_on:*:*:*:*:premium:wordpress:*:*
miniorangeoauth_single_sign_on*cpe:2.3:a:miniorange:oauth_single_sign_on:*:*:*:*:enterprise:wordpress:*:*

Vendor	Product	Version	CPE
miniorange	oauth_single_sign_on	*	cpe:2.3:a:miniorange:oauth_single_sign_on:::::free:wordpress::
miniorange	oauth_single_sign_on	*	cpe:2.3:a:miniorange:oauth_single_sign_on:::::standard:wordpress::
miniorange	oauth_single_sign_on	*	cpe:2.3:a:miniorange:oauth_single_sign_on:::::premium:wordpress::
miniorange	oauth_single_sign_on	*	cpe:2.3:a:miniorange:oauth_single_sign_on:::::enterprise:wordpress::