Lucene search

WPScanCVE-2023-1092

HistoryMar 27, 2023 - 4:15 p.m.

CVE-2023-1092

2023-03-2716:15:09

WPScan

web.nvd.nist.gov

cve-2023-1092

wordpress

oauth

single sign on

csrf

security

vulnerability

nvd

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

47.5%

JSON

The OAuth Single Sign On Free WordPress plugin before 6.24.2, OAuth Single Sign On Standard WordPress plugin before 28.4.9, OAuth Single Sign On Premium WordPress plugin before 38.4.9 and OAuth Single Sign On Enterprise WordPress plugin before 48.4.9 do not have CSRF checks when deleting Identity Providers (IdP), which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack

Affected configurations

Nvd

Vulners

Node

miniorangeoauth_single_sign_onRange<6.24.2freewordpress

miniorangeoauth_single_sign_onRange<28.4.9standardwordpress

miniorangeoauth_single_sign_onRange<38.4.9premiumwordpress

miniorangeoauth_single_sign_onRange<48.4.9enterprisewordpress

VendorProductVersionCPE
miniorangeoauth_single_sign_on*cpe:2.3:a:miniorange:oauth_single_sign_on:*:*:*:*:free:wordpress:*:*
miniorangeoauth_single_sign_on*cpe:2.3:a:miniorange:oauth_single_sign_on:*:*:*:*:standard:wordpress:*:*
miniorangeoauth_single_sign_on*cpe:2.3:a:miniorange:oauth_single_sign_on:*:*:*:*:premium:wordpress:*:*
miniorangeoauth_single_sign_on*cpe:2.3:a:miniorange:oauth_single_sign_on:*:*:*:*:enterprise:wordpress:*:*

Vendor	Product	Version	CPE
miniorange	oauth_single_sign_on	*	cpe:2.3:a:miniorange:oauth_single_sign_on:::::free:wordpress::
miniorange	oauth_single_sign_on	*	cpe:2.3:a:miniorange:oauth_single_sign_on:::::standard:wordpress::
miniorange	oauth_single_sign_on	*	cpe:2.3:a:miniorange:oauth_single_sign_on:::::premium:wordpress::
miniorange	oauth_single_sign_on	*	cpe:2.3:a:miniorange:oauth_single_sign_on:::::enterprise:wordpress::

CNA Affected

[
  {
    "vendor": "MiniOrange",
    "product": "OAuth Single Sign On Free",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "6.24.2"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  },
  {
    "vendor": "MiniOrange",
    "product": "OAuth Single Sign On Standard",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "28.4.9"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "MiniOrange",
    "product": "OAuth Single Sign On Premium",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "38.4.9"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "MiniOrange",
    "product": "OAuth Single Sign On Enterprise",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "48.4.9"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

wpscan.com/vulnerability/52e29f16-b6dd-4132-9bb8-ad10bd3c39d7

wpscan.com/vulnerability/5eb85df5-8aab-4f30-a401-f776a310b09c

wpscan.com/vulnerability/8fbf7efe-0bf2-42c6-aef1-7fcf2708b31b

wpscan.com/vulnerability/f6e165d9-2193-4c76-ae2d-618a739fe4fb

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

47.5%

JSON

Related for CVE-2023-1092