Description
The Cloud SAML SSO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'set_organization_settings' action of the csso_handle_actions() function in all versions up to, and including, 1.0.19. The handler reads client-supplied POST parameters for organization settings and passes them directly to update_option() without any check of the user’s capabilities or a CSRF nonce. This makes it possible for unauthenticated attackers to change critical configuration (including toggling signing and encryption), potentially breaking the SSO flow and causing a denial-of-service.
Published: 2025-09-06
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration modification enabling denial of service
Action: Apply Patch
AI Analysis

Impact

The Cloud SAML SSO plugin for WordPress contains a missing capability check for the set_organization_settings action. The handler accepts client‑supplied POST parameters for organization settings and passes them directly to update_option() without validating the user’s capabilities or including a CSRF nonce. This weakness allows an unauthenticated attacker to change critical SSO configuration, such as signing and encryption toggles, which can break the authentication flow and cause a denial‑of‑service. The flaw is a classic example of Missing Authorization (CWE‑862).

Affected Systems

WordPress sites that have installed Cloud Infrastructure Services’ Cloud SAML SSO – Single Sign On Login plugin, version 1.0.19 or earlier. All earlier releases share the same code path that performs the insecure update. The issue is not present in versions newer than 1.0.19, provided the vendor has addressed the capability check in the fix.

Risk and Exploitability

The vulnerability scores a 8.2 on the CVSS scale, indicating a high‑severity condition. The EPSS score is less than 1 %, suggesting that exploitation is infrequent but possible. The vulnerability is not listed in the CISA KEV catalog. Because the action is reachable via an unauthenticated POST request that lacks a CSRF token, an attacker can trigger it solely by sending a crafted HTTP request to the plugin’s endpoint. Successful exploitation results in unauthorized configuration changes that can compromise the integrity of the SSO flow and render user authentication ineffective, leading to a denial‑of‑service for legitimate users.

Generated by OpenCVE AI on April 21, 2026 at 03:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cloud SAML SSO WordPress plugin to a version newer than 1.0.19, which includes the proper capability check on the set_organization_settings endpoint.
  • If an upgrade is not immediately possible, modify the plugin’s action handler to first verify that the current user has the "manage_options" capability before allowing organization settings to be updated; alternatively, remove the set_organization_settings endpoint entirely.
  • Implement network or application‑level controls to block unauthenticated POST requests to the plugin’s action URLs, such as protecting the administrative area with .htaccess or a firewall rule.

Generated by OpenCVE AI on April 21, 2026 at 03:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Sep 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 06 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Cloud SAML SSO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'set_organization_settings' action of the csso_handle_actions() function in all versions up to, and including, 1.0.19. The handler reads client-supplied POST parameters for organization settings and passes them directly to update_option() without any check of the user’s capabilities or a CSRF nonce. This makes it possible for unauthenticated attackers to change critical configuration (including toggling signing and encryption), potentially breaking the SSO flow and causing a denial-of-service.
Title Cloud SAML SSO <= 1.0.19 - Missing Authorization to Unauthenticated Settings Modification via set_organization_settings Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:54:48.328Z

Reserved: 2025-07-02T22:23:38.620Z

Link: CVE-2025-7040

cve-icon Vulnrichment

Updated: 2025-09-08T20:18:14.939Z

cve-icon NVD

Status : Deferred

Published: 2025-09-06T04:16:02.867

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7040

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:15:16Z

Weaknesses