WordPress OAuth Single Sign-On Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress, affecting all versions through 6.26.12. The vulnerability arises from the use of a predictable state parameter, specifically a base64 encoded application name, without any randomness in the OAuth flow. This flaw allows unauthenticated attackers to forge OAuth authorization requests and potentially hijack the OAuth process, provided they can deceive a site administrator into clicking a link or performing a similar action.

Impact

Exploitation of this vulnerability could lead to Cross-Site Request Forgery, allowing attackers to impersonate users and perform actions on their behalf, potentially hijacking an OAuth authorization flow.

Reproduction

To reproduce this vulnerability, an attacker must craft a link that exploits the predictable state parameter in the OAuth flow. This link, when clicked by an administrator, will send a forged OAuth authorization request, taking advantage of the lack of randomness in the state parameter. The attack can be automated by including the forged request in a web page or email that tricks the administrator into clicking it.

Remediation

Users are advised to update the OAuth Single Sign On – SSO (OAuth Client) plugin to version 6.26.13 or later, where this vulnerability has been patched.