Oauth Single Sign On – Sso (Oauth Client)

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:cyberlord92:oauth_single_sign_on_–_sso_(oauth_client):*:*:*:*:*:*:*:*

part: a version: * update: *

VendorCyberlord92 (d4db5aca-fcb6-5704-b2d9-5b8ecb1765d8)
ProductOauth Single Sign On – Sso (Oauth Client) (f38dab38-0383-520b-aa15-296dcc127cf3)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2025-9485 vulnerable 2026-06-03 15:13:46.594203 OAuth Single Sign On – SSO (OAuth Client) <= 6.26.12 - Authentication Bypass via get_resource_owner_from_id_token()
CRITICAL (9.8)
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.
Published: 2025-10-04T02:24:37.169Z
Updated: 2026-04-08T17:25:21.100Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-10753 vulnerable 2026-06-03 14:58:34.728328 OAuth Single Sign On – SSO (OAuth Client) <= 6.26.14 - Missing Authorization
MEDIUM (5.3)
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. This is due to missing capability checks and authentication verification on the OAuth redirect functionality accessible via the 'oauthredirect' option parameter. This makes it possible for unauthenticated attackers to set the global redirect URL option via the redirect_url parameter granted they can access the site directly.
Published: 2026-02-06T06:46:30.162Z
Updated: 2026-04-08T17:09:14.056Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-10752 vulnerable 2026-06-03 14:58:34.727983 OAuth Single Sign On – SSO (OAuth Client) <= 6.26.12 - Cross-Site Request Forgery
MEDIUM (4.3)
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state parameter (base64 encoded app name) without any randomness in the OAuth flow. This makes it possible for unauthenticated attackers to forge OAuth authorization requests and potentially hijack the OAuth flow via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-09-26T01:47:27.527Z
Updated: 2026-04-08T17:30:41.766Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-10111 vulnerable 2026-06-03 14:54:04.914955 OAuth Single Sign On – SSO (OAuth Client) <= 6.26.3 - Authentication Bypass
HIGH (8.1)
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.26.3. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token.
Published: 2024-12-12T03:23:10.001Z
Updated: 2026-04-08T17:28:10.260Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.