Skip to main content

Secufor OAuth EUVDEUVD-2026-38667

| CVE-2026-7617 MEDIUM
Missing Authorization (CWE-862)
2026-06-24 Wordfence GHSA-rcgx-vphg-9xcg
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible with no privileges or interaction required; impact limited to clearing OAuth configuration yielding only low integrity loss with no confidentiality or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 07:03 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
MEDIUM 5.3

DescriptionCVE.org

The Secufor_OAuth plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to disconnect the WordPress site from its linked Secufor account by clearing the plugin's stored login token and user login configuration.

AnalysisAI

Unauthenticated remote attackers can disconnect any WordPress site running the Secufor_OAuth plugin from its linked Secufor identity account by triggering an unprotected action handler that clears the stored OAuth token and login configuration. All plugin versions through 1.0.7 are affected, confirmed by Wordfence and traceable to specific lines in the plugin source. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with Secufor_OAuth ≤1.0.7 active
Delivery
Send unauthenticated HTTP POST to wp-admin/admin-ajax.php
Exploit
Invoke unprotected token-clearing action handler
Execution
Plugin clears stored OAuth token and login config
Impact
WordPress site disconnected from Secufor account

Vulnerability AssessmentAI

Exploitation No special conditions are required beyond network access to the WordPress site and the presence of an active Secufor_OAuth plugin installation at version 1.0.7 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.3 Medium score is well-calibrated: the attack vector is network-accessible with no prerequisites (AV:N/AC:L/PR:N/UI:N), but impact is strictly bounded to low integrity loss (I:L) with no confidentiality or availability effect (C:N/A:N) and unchanged scope (S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a single crafted HTTP POST request to the target WordPress site's wp-admin/admin-ajax.php endpoint, invoking the Secufor_OAuth plugin's unprotected action handler. The handler executes without any authorization check, clears the stored OAuth token and user login configuration, and returns a success response. …
Remediation No patched version has been identified in the provided data - all references point exclusively to the vulnerable 1.0.7 tag with no newer release referenced. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38667 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy