Description
The Secufor_OAuth plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to disconnect the WordPress site from its linked Secufor account by clearing the plugin's stored login token and user login configuration.
Published: 2026-06-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Secufor_OAuth plugin for WordPress suffers from a missing authorization check that allows an attacker who is not authenticated to invoke the AJAX action 'secuforoauth_unregister_action'. By doing so, the attacker can clear the stored login token and user login configuration for the WordPress site, effectively severing the connection with the linked Secufor account. This flaw enables an unauthenticated user to disrupt the authentication workflow without compromising other aspects of site integrity, leading to service degradation or temporary loss of OAuth capabilities.

Affected Systems

WordPress sites installing the Secufor_OAuth plugin, specifically all versions up to and including 1.0.7. Any site using these versions is susceptible to the unauthorized logout vulnerability.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, indicating moderate severity. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog, suggesting limited evidence of exploitation in the wild. Attackers can target the site via a GET or POST request to the underlying AJAX endpoint without authentication, so the vector is remote and unauthenticated. The potential impact is primarily service interruption, as the OAuth link is severed but does not grant further access.

Generated by OpenCVE AI on June 24, 2026 at 09:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Secufor_OAuth to a version newer than 1.0.7 that fixes the missing authorization check.
  • Disable the Secufor_OAuth plugin temporarily until a patched version is available to prevent exploitation.
  • Configure web application firewall or .htaccess rules to block unauthenticated requests to the 'secuforoauth_unregister_action' AJAX endpoint.

Generated by OpenCVE AI on June 24, 2026 at 09:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Secufor_OAuth plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to disconnect the WordPress site from its linked Secufor account by clearing the plugin's stored login token and user login configuration.
Title Secufor_OAuth <= 1.0.7 - Missing Authorization to Unauthenticated Account Logout via 'secuforoauth_unregister_action' AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T05:33:25.583Z

Reserved: 2026-05-01T13:15:23.874Z

Link: CVE-2026-7617

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:00:05Z

Weaknesses