CVE-2025-12021

The WP-OAuth plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'errordescription' parameter in all versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w...

CVE-2025-12021

CVE-2025-12021 affects the WordPress WP-OAuth plugin, with Reflected Cross-Site Scripting via the error_description parameter in all versions up to and including 0.4.1 due to insufficient input sanitization and output escaping. This enables unauthenticated attackers to inject scripts in pages tha...

EUVD-2024-29149

Malicious code in bioql PyPI...

CVE-2024-31253

URL Redirection to Untrusted Site 'Open Redirect' vulnerability in WP OAuth Server OAuth Server.This issue affects OAuth Server: from n/a through 4.3.3...

CVE-2022-4148

The WP OAuth Server OAuth Authentication WordPress plugin before 4.3.0 has a flawed CSRF and authorisation check when deleting a client, which could allow any authenticated users, such as subscriber to delete arbitrary client...

CVE-2022-3894

The WP OAuth Server OAuth Authentication WordPress plugin before 4.2.5 does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack...

CVE-2024-31253

CVE-2024-31253 describes an Open Redirect vulnerability in the WP OAuth Server (OAuth Server) plugin. According to the provided sources, the issue affects OAuth Server up to version 4.3.3 and can redirect users to an untrusted site. The Red Hat and Wordfence entries corroborate the same descripti...

PT-2024-23896 · WordPress · Wp Oauth Server

Name of the Vulnerable Software and Affected Versions: WP OAuth Server versions through 4.3.3 Description: The issue is related to a URL Redirection to Untrusted Site, also known as an 'Open Redirect' vulnerability, in WP OAuth Server. This vulnerability allows redirection to untrusted sites...

CVE-2022-4148

The WP OAuth Server OAuth Authentication WordPress plugin before 4.3.0 has a flawed CSRF and authorisation check when deleting a client, which could allow any authenticated users, such as subscriber to delete arbitrary client...

CVE-2022-3894

The WP OAuth Server OAuth Authentication WordPress plugin before 4.2.5 does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack...

Cross site request forgery (csrf)

The WP OAuth Server OAuth Authentication WordPress plugin before 4.3.0 has a flawed CSRF and authorisation check when deleting a client, which could allow any authenticated users, such as subscriber to delete arbitrary client...

Cross site request forgery (csrf)

The WP OAuth Server OAuth Authentication WordPress plugin before 4.2.5 does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack...

CVE-2022-4148 WP OAuth Server < 4.3.0 - Subscriber+ Arbitrary Client Deletion

The WP OAuth Server OAuth Authentication WordPress plugin before 4.3.0 has a flawed CSRF and authorisation check when deleting a client, which could allow any authenticated users, such as subscriber to delete arbitrary client...

CVE-2022-4148

CVE-2022-4148 affects the WordPress WP OAuth Server (OAuth Authentication) plugin, prior to version 4.3.0. The vulnerability is a flawed CSRF and authorization check when deleting a client, potentially allowing any authenticated user (e.g., subscribers) to delete arbitrary clients. Affected compo...

CVE-2022-3894

The CVE-2022-3894 entry concerns the WP OAuth Server (OAuth Authentication) WordPress plugin prior to version 4.2.5. Public details from connected sources confirm a concrete issue: lack of CSRF protection when deleting a client, and failure to verify that the target object is actually a client. T...

CVE-2022-3894 WP OAuth Server < 4.2.5 - Arbitrary Post Deletion via CSRF

The WP OAuth Server OAuth Authentication WordPress plugin before 4.2.5 does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack...

WP OAuth Server < 4.2.5 - Arbitrary Post Deletion via CSRF

The plugin does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack. PoC fetch'/wp-admin/admin-ajax.php', method: 'POST', header...

WP OAuth Server < 4.2.5 - Arbitrary Post Deletion via CSRF

The plugin does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack. fetch'/wp-admin/admin-ajax.php', method: 'POST', headers: n...

WP OAuth Server < 4.3.0 - Subscriber+ Arbitrary Client Deletion

The plugin has a flawed CSRF and authorisation check when deleting a client, which could allow any authenticated users, such as subscriber to delete arbitrary client. PoC Run the below command in the developer console of the web browser while being on the blog as any authenticated users, such as...

CVE-2022-3892

The WP OAuth Server OAuth Authentication WordPress plugin before 4.2.2 does not sanitize and escape Client IDs, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...