Description
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state parameter (base64 encoded app name) without any randomness in the OAuth flow. This makes it possible for unauthenticated attackers to forge OAuth authorization requests and potentially hijack the OAuth flow via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-09-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: OAuth hijacking via CSRF
Action: Patch Now
AI Analysis

Impact

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress uses a predictable state parameter, based on a base64 encoded application name, without any randomness in the OAuth flow. This flaw allows an unauthenticated attacker to forge OAuth authorization requests and hijack the flow if a site administrator is tricked into clicking a crafted link. The result is potential unauthorized access to user accounts or impersonation of the administrator, qualifying as a CSRF weakness.

Affected Systems

The vulnerability affects the OAuth Single Sign On – SSO (OAuth Client) plugin distributed by cyberlord92. All installations running version 6.26.12 or earlier are affected. No other WordPress plugins or system components are reported to be impacted.

Risk and Exploitability

The reported CVSS score of 4.3 places the issue in the low‑to‑moderate severity range, while the EPSS score of less than 1% suggests a very low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a CSRF attack against an administrator who is persuaded to click a malicious link, and the attacker must predict the opaque state value. Because of these requirements, the risk to most organizations remains limited unless the plugin is the sole OAuth provider in use or administrators are highly susceptible to phishing.

Generated by OpenCVE AI on April 22, 2026 at 00:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the OAuth Single Sign On – SSO (OAuth Client) plugin to the latest release (6.26.13 or later) when available to remove the predictable state limitation.
  • If a patch is not yet released, disable or uninstall the plugin until the vendor issues a fix, or restrict its deployment to a sandboxed environment.
  • Conduct an audit of administrator accounts to ensure only trusted personnel have access and educate them about the risks of clicking suspicious links.

Generated by OpenCVE AI on April 22, 2026 at 00:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31201 The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state parameter (base64 encoded app name) without any randomness in the OAuth flow. This makes it possible for unauthenticated attackers to forge OAuth authorization requests and potentially hijack the OAuth flow via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Fri, 26 Sep 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Oauth Client Single Sign On Project
Oauth Client Single Sign On Project oauth Client Single Sign On
Wordpress
Wordpress wordpress
Vendors & Products Oauth Client Single Sign On Project
Oauth Client Single Sign On Project oauth Client Single Sign On
Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 02:15:00 +0000

Type Values Removed Values Added
Description The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state parameter (base64 encoded app name) without any randomness in the OAuth flow. This makes it possible for unauthenticated attackers to forge OAuth authorization requests and potentially hijack the OAuth flow via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title OAuth Single Sign On – SSO (OAuth Client) <= 6.26.12 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Oauth Client Single Sign On Project Oauth Client Single Sign On
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:41.766Z

Reserved: 2025-09-19T20:37:57.485Z

Link: CVE-2025-10752

cve-icon Vulnrichment

Updated: 2025-09-26T19:24:39.220Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T02:15:51.530

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:00:04Z

Weaknesses