Cloud SAML SSO WordPress Plugin Missing Authorization Vulnerability in Data Modification

A vulnerability exists in the Cloud SAML SSO plugin for WordPress, specifically in versions through 1.0.19. The issue arises from a lack of proper capability checks on the 'set_organization_settings' action within the 'csso_handle_actions()' function. This oversight allows unauthorized users to modify organization settings by sending crafted POST requests. The plugin directly applies these changes using 'update_option()' without verifying the user's permissions or including a CSRF nonce. As a result, unauthenticated attackers can alter essential configurations, such as signing and encryption settings, potentially disrupting the SSO process and causing a denial-of-service condition.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in critical plugin settings, including SSO signing and encryption options, potentially disrupting the SSO functionality and causing a denial-of-service condition.

Reproduction

To reproduce this vulnerability, send a POST request to the WordPress site with the 'action' parameter set to 'set_organization_settings'. Include the organization settings to be modified in the request. The absence of a capability check or CSRF nonce verification will allow the changes to be applied, demonstrating the vulnerability.

Remediation

Users are advised to update the Cloud SAML SSO plugin to version 1.0.20 or later.