WordPress OAuth Single Sign-On Plugin Unauthorized Access Vulnerability

A vulnerability allowing unauthorized access has been identified in the OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress, affecting all versions through 6.26.14. The issue arises from inadequate capability checks and authentication verification on the OAuth redirect functionality, which can be accessed via the 'oauthredirect' option parameter. This vulnerability enables unauthenticated attackers to manipulate the global redirect URL option by using the redirect_url parameter, provided they can access the site directly.

Impact

Exploitation of this vulnerability allows unauthorized users to change the global redirect URL, potentially leading to unauthorized access or actions on behalf of a user.

Reproduction

To reproduce this vulnerability, access a WordPress site with the affected OAuth Single Sign On – SSO (OAuth Client) plugin version 6.26.14 or earlier. Without authentication, send a request to the site that includes the 'oauthredirect' option parameter and the 'redirect_url' parameter with the desired URL. The absence of proper authorization checks will allow the request to be processed, changing the redirect URL to the one specified.

Remediation

Users are advised to update the OAuth Single Sign On – SSO (OAuth Client) plugin to version 6.26.15 or a newer patched version.