CVE-2023-1092
Severity CVSS v4.0:
Pending analysis
Type:
CWE-352
Cross-Site Request Forgery (CSRF)
Publication date:
27/03/2023
Last modified:
19/02/2025
Description
The OAuth Single Sign On Free WordPress plugin before 6.24.2, OAuth Single Sign On Standard WordPress plugin before 28.4.9, OAuth Single Sign On Premium WordPress plugin before 38.4.9 and OAuth Single Sign On Enterprise WordPress plugin before 48.4.9 do not have CSRF checks when deleting Identity Providers (IdP), which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:miniorange:oauth_single_sign_on:*:*:*:*:free:wordpress:*:* | 6.24.2 (excluding) | |
| cpe:2.3:a:miniorange:oauth_single_sign_on:*:*:*:*:standard:wordpress:*:* | 28.4.9 (excluding) | |
| cpe:2.3:a:miniorange:oauth_single_sign_on:*:*:*:*:premium:wordpress:*:* | 38.4.9 (excluding) | |
| cpe:2.3:a:miniorange:oauth_single_sign_on:*:*:*:*:enterprise:wordpress:*:* | 48.4.9 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://wpscan.com/vulnerability/52e29f16-b6dd-4132-9bb8-ad10bd3c39d7
- https://wpscan.com/vulnerability/5eb85df5-8aab-4f30-a401-f776a310b09c
- https://wpscan.com/vulnerability/8fbf7efe-0bf2-42c6-aef1-7fcf2708b31b
- https://wpscan.com/vulnerability/f6e165d9-2193-4c76-ae2d-618a739fe4fb
- https://wpscan.com/vulnerability/52e29f16-b6dd-4132-9bb8-ad10bd3c39d7
- https://wpscan.com/vulnerability/5eb85df5-8aab-4f30-a401-f776a310b09c
- https://wpscan.com/vulnerability/8fbf7efe-0bf2-42c6-aef1-7fcf2708b31b
- https://wpscan.com/vulnerability/f6e165d9-2193-4c76-ae2d-618a739fe4fb