Oauth Single Sign On Sso Oauth Client
Monthly
Authentication bypass in the miniOrange OAuth Single Sign On - SSO (OAuth Client) WordPress plugin (versions up to and including 38.5.8) lets remote unauthenticated attackers abuse an alternate authentication path in the password-recovery flow to log in as arbitrary users, including administrators. Rated CVSS 9.8, the flaw grants full account takeover without credentials or user interaction; there is no public exploit identified at time of analysis, but the plugin's SSO role and low attack complexity make it a high-value target.
Authentication bypass in the miniOrange OAuth Single Sign On - SSO (OAuth Client) WordPress plugin (versions up to and including 38.5.8) lets remote unauthenticated attackers abuse an alternate authentication path in the password-recovery flow to log in as arbitrary users, including administrators. Rated CVSS 9.8, the flaw grants full account takeover without credentials or user interaction; there is no public exploit identified at time of analysis, but the plugin's SSO role and low attack complexity make it a high-value target.