Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-accessible with no privileges or interaction required; impact limited to clearing OAuth configuration yielding only low integrity loss with no confidentiality or availability consequence.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Secufor_OAuth plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to disconnect the WordPress site from its linked Secufor account by clearing the plugin's stored login token and user login configuration.
AnalysisAI
Unauthenticated remote attackers can disconnect any WordPress site running the Secufor_OAuth plugin from its linked Secufor identity account by triggering an unprotected action handler that clears the stored OAuth token and login configuration. All plugin versions through 1.0.7 are affected, confirmed by Wordfence and traceable to specific lines in the plugin source. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required beyond network access to the WordPress site and the presence of an active Secufor_OAuth plugin installation at version 1.0.7 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.3 Medium score is well-calibrated: the attack vector is network-accessible with no prerequisites (AV:N/AC:L/PR:N/UI:N), but impact is strictly bounded to low integrity loss (I:L) with no confidentiality or availability effect (C:N/A:N) and unchanged scope (S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a single crafted HTTP POST request to the target WordPress site's wp-admin/admin-ajax.php endpoint, invoking the Secufor_OAuth plugin's unprotected action handler. The handler executes without any authorization check, clears the stored OAuth token and user login configuration, and returns a success response. … |
| Remediation | No patched version has been identified in the provided data - all references point exclusively to the vulnerable 1.0.7 tag with no newer release referenced. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38667
GHSA-rcgx-vphg-9xcg