Cloud SAML SSO WordPress Plugin Identity Provider Deletion Vulnerability

A vulnerability exists in the Cloud SAML SSO plugin for WordPress, specifically in versions through 1.0.19. The issue arises from a lack of proper capability checks in the 'delete_config' action of the 'csso_handle_actions()' function. This oversight allows unauthenticated attackers to delete any configured Identity Provider (IdP), disrupting the Single Sign-On (SSO) authentication process and causing a denial-of-service condition.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of Identity Providers, disrupting the SSO authentication flow and causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'delete_config' action without the necessary authentication. This request can be made from any user account, as the plugin does not verify if the user has the right capabilities to perform this action. Once the request is processed, the specified Identity Provider will be deleted, breaking the SSO functionality.

Remediation

Users are advised to update the Cloud SAML SSO plugin to version 1.0.20 or later.