Does OAuth Single Sign On – SSO (OAuth Client) have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is OAuth Single Sign On – SSO (OAuth Client) compatible with WordPress 6.9.4?

According to WordPress.org data, OAuth Single Sign On – SSO (OAuth Client) 6.26.19 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is OAuth Single Sign On – SSO (OAuth Client) compatible with PHP 7.0+?

OAuth Single Sign On – SSO (OAuth Client) requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is OAuth Single Sign On – SSO (OAuth Client) updated?

OAuth Single Sign On – SSO (OAuth Client) was last updated on Apr 16, 2026. Frequent updates are generally a positive security signal.

What is OAuth Single Sign On – SSO (OAuth Client)'s security score?

OAuth Single Sign On – SSO (OAuth Client) has a WP-Safety security score of 82/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

OAuth Single Sign On – SSO (OAuth Client) Security & Risk Analysis

wordpress.org/plugins/miniorange-login-with-eve-online-google-facebook

WordPress SSO (Single Sign On) with Azure, Azure B2C, Cognito, Okta, Classlink, Discord, Clever, Keycloak, OAuth & OpenID Providers [24/7 SUPPORT].

7K active installs v6.26.19 PHP 7.0+ WP 3.0.1+ Updated Apr 16, 2026

loginoauth-2-0openidsingle-sign-onsso

B · Generally Safe

CVEs total10

Unpatched0

Last CVEFeb 5, 2026

Plugin page Download

Safety Verdict

Is OAuth Single Sign On – SSO (OAuth Client) Safe to Use in 2026?

Mostly Safe

Score 82/100

OAuth Single Sign On – SSO (OAuth Client) is generally safe to use. 10 past CVEs were resolved.

10 known CVEsLast CVE: Feb 5, 2026Updated 1mo ago

Risk Assessment

The "miniorange-login-with-eve-online-google-facebook" plugin exhibits a mixed security posture. While it demonstrates strong adherence to secure coding practices such as utilizing prepared statements for all SQL queries and a high percentage of properly escaped output, there are significant areas of concern. The presence of one unprotected AJAX handler presents a clear entry point for attackers to potentially exploit. Furthermore, the plugin's history of 10 known CVEs, including critical and high-severity vulnerabilities such as Improper Authentication, Missing Authorization, and Cross-Site Request Forgery, indicates a pattern of past security weaknesses. Although there are currently no unpatched vulnerabilities, the recurring nature and types of historical issues suggest a need for ongoing vigilance and robust security testing. The taint analysis, while not yielding critical or high-severity flows, did identify four flows with unsanitized paths, which warrants further investigation for potential injection vulnerabilities.

In conclusion, the plugin has made strides in secure coding with its SQL and output sanitization practices. However, the unprotected AJAX endpoint and the extensive history of critical and high-severity vulnerabilities raise significant red flags. The plugin is actively maintained and addresses past vulnerabilities, but the repeated occurrence of certain vulnerability types suggests underlying architectural or implementation issues that require careful attention. The overall risk is moderate, but the potential for new vulnerabilities to emerge due to past patterns should not be underestimated.

Key Concerns

AJAX handler without authentication check
4 unsanitized paths in taint analysis
1 critical CVE in vulnerability history
3 high CVEs in vulnerability history
6 medium CVEs in vulnerability history

Vulnerabilities

10 published

OAuth Single Sign On – SSO (OAuth Client) Security Vulnerabilities

CVEs by Year

1 CVE in 2021

2021

2 CVEs in 2022

2022

3 CVEs in 2023

2023

1 CVE in 2024

2024

2 CVEs in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

10 total CVEs

CVE-2025-10753medium · 5.3Missing Authorization

OAuth Single Sign On – SSO (OAuth Client) <= 6.26.14 - Missing Authorization

Feb 5, 2026 Patched in 6.26.15 (1d)

CVE-2025-9485critical · 9.8Improper Verification of Cryptographic Signature

OAuth Single Sign On – SSO (OAuth Client) <= 6.26.12 - Authentication Bypass via get_resource_owner_from_id_token()

Oct 3, 2025 Patched in 6.26.13 (1d)

CVE-2025-10752medium · 4.3Cross-Site Request Forgery (CSRF)

OAuth Single Sign On – SSO (OAuth Client) <= 6.26.12 - Cross-Site Request Forgery

Sep 25, 2025 Patched in 6.26.13 (1d)

CVE-2024-10111high · 8.1Improper Authentication

OAuth Single Sign On – SSO (OAuth Client) <= 6.26.3 - Authentication Bypass

Dec 11, 2024 Patched in 6.26.4 (50d)

CVE-2022-34155high · 8.8Missing Authorization

OAuth Single Sign On – SSO (OAuth Client) <= 6.23.3 - Missing Authorization

May 24, 2023 Patched in 6.23.4 (244d)

CVE-2023-1092medium · 4.3Cross-Site Request Forgery (CSRF)

OAuth Single Sign On – SSO (OAuth Client) <= 6.24.1 - Cross-Site Request Forgery via 'delete' in mooauth_client_applist_page

Feb 28, 2023 Patched in 6.24.2 (329d)

CVE-2023-1093medium · 4.3Cross-Site Request Forgery (CSRF)

OAuth Single Sign On – SSO (OAuth Client) <= 6.24.1- Cross-Site Request Forgery via 'discard' in mooauth_client_applist_page

Feb 15, 2023 Patched in 6.24.2 (342d)

CVE-2022-2133high · 8.1Improper Authentication

OAuth Single Sign On – SSO (OAuth Client) <= 6.22.5 - Authentication Bypass

Jun 27, 2022 Patched in 6.22.6 (575d)

WF-bb2a67ff-a452-4ecb-9fd7-bf05fe43a2f7-miniorange-login-with-eve-online-google-facebookmedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OAuth Single Sign On – SSO (OAuth Client) <= 6.22.5 - Cross-Site Scripting

Jun 22, 2022 Patched in 6.23.0 (580d)

WF-44cbaa25-7e91-4b2e-81c4-ba1d7ba02350-miniorange-login-with-eve-online-google-facebookmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple miniOrange Plugins (Various Version) - Reflected Cross-Site Scripting

Aug 30, 2021 Patched in 6.20.3 (876d)

Version History

OAuth Single Sign On – SSO (OAuth Client) Release Timeline

v6.26.19Current

v6.26.18

v6.26.17

v6.26.16

v6.26.15

v6.26.141 CVE

CVE-2025-10753

v6.26.131 CVE

CVE-2025-10753

v6.26.123 CVEs

CVE-2025-10753 CVE-2025-9485 CVE-2025-10752

v6.26.113 CVEs

CVE-2025-10753 CVE-2025-9485 CVE-2025-10752

v6.26.103 CVEs

CVE-2025-10753 CVE-2025-9485 CVE-2025-10752

v6.26.93 CVEs

CVE-2025-10753 CVE-2025-9485 CVE-2025-10752

v6.26.83 CVEs

CVE-2025-10753 CVE-2025-9485 CVE-2025-10752

v6.26.73 CVEs

CVE-2025-10753 CVE-2025-9485 CVE-2025-10752

v6.26.63 CVEs

CVE-2025-10753 CVE-2025-9485 CVE-2025-10752

v6.26.53 CVEs

CVE-2025-10753 CVE-2025-9485 CVE-2025-10752

v6.26.43 CVEs

CVE-2025-10753 CVE-2025-9485 CVE-2025-10752

v6.26.34 CVEs

CVE-2025-10753 CVE-2025-9485 CVE-2024-10111 +1 more

v6.26.24 CVEs

CVE-2025-10753 CVE-2025-9485 CVE-2024-10111 +1 more

v6.26.14 CVEs

CVE-2025-10753 CVE-2025-9485 CVE-2024-10111 +1 more

v6.26.04 CVEs

CVE-2025-10753 CVE-2025-9485 CVE-2024-10111 +1 more

Code Analysis

Analyzed Mar 16, 2026

OAuth Single Sign On – SSO (OAuth Client) Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

699 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

DataTables

Output Escaping

97% escaped719 total outputs

Data Flows · Security

4 unsanitized

Data Flow Analysis

6 flows4 with unsanitized paths

mooauth_login_validate (class-mooauth-widget.php:253)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

OAuth Single Sign On – SSO (OAuth Client) Attack Surface

Entry Points7

Unprotected1

AJAX Handlers 6

authwp_ajax_install_and_activate_rest_api_freeadmin\partials\mo_plugins\src\class-mo-rest-api-advertisement.php:38

authwp_ajax_test_api_securityadmin\partials\mo_plugins\src\class-mo-rest-api-advertisement.php:39

authwp_ajax_mo_rest_api_plugin_adv_dismiss_noticeadmin\partials\mo_plugins\src\class-mo-rest-api-advertisement.php:40

authwp_ajax_mo_dismiss_admin_noticeadmin\partials\notice\class-mo-oauth-admin-notice.php:27

authwp_ajax_mo_outh_ajaxadmin\partials\setup_wizard\handler\class-mo-oauth-wizard-ajax.php:26

authwp_ajax_mo_oauth_debug_ajaxclass-mooauth.php:47

Shortcodes 1

[mo_oauth_login] class-mooauth.php:26

WordPress Hooks 22

actionadmin_noticesadmin\partials\mo_plugins\src\class-mo-rest-api-advertisement.php:37

actionadmin_initadmin\partials\notice\class-mo-oauth-admin-notice.php:26

actionadmin_initadmin\partials\setup_wizard\handler\class-mo-oauth-wizard-ajax.php:19

actionwp_enqueue_scriptsclass-mooauth-widget.php:26

actioninitclass-mooauth-widget.php:27

actioninitclass-mooauth-widget.php:28

actionwp_logoutclass-mooauth-widget.php:29

actionlogin_formclass-mooauth-widget.php:30

actionwidgets_initclass-mooauth-widget.php:1017

actioninitclass-mooauth-widget.php:1018

actionmo_oauth_auto_delete_debug_logsclass-mooauth.php:21

actionadmin_initclass-mooauth.php:22

actionplugins_loadedclass-mooauth.php:23

actionadmin_footerclass-mooauth.php:27

actioncheck_if_wp_rest_apis_are_openclass-mooauth.php:28

actionadmin_initclass-mooauth.php:29

actionadmin_initclass-mooauth.php:30

actionadmin_noticesclass-mooauth.php:341

actionadmin_noticesclass-mooauth.php:349

actionadmin_menuincludes\class-mo-oauth-client.php:60

actionadmin_enqueue_scriptsincludes\class-mo-oauth-client.php:61

actionadmin_enqueue_scriptsincludes\class-mo-oauth-client.php:62

Scheduled Events 4

mo_oauth_auto_delete_debug_logs

check_if_wp_rest_apis_are_open

mo_oauth_auto_delete_debug_logs

Maintenance & Trust

OAuth Single Sign On – SSO (OAuth Client) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedApr 16, 2026

PHP min version7.0

Downloads272K

Community Trust

Rating98/100

Number of ratings318

Active installs7K

Alternatives

OAuth Single Sign On – SSO (OAuth Client) Alternatives

Snapplify Single Sign On

snapplify-single-sign-on

100

WordPress User Single Sign On authentication with a Snapplify User Account.

0 No CVEs

Tim's Nextcloud SSO OAuth2

tims-nextcloud-sso-oauth2

100

Enables you to login to your WordPress site with your Nextcloud account with OAuth2

300 No CVEs

Lana Single Sign On

lana-sso

Creates the ability to login using Single Sign On via OAuth 2.0

10 No CVEs

IDer Login for WordPress

ider-login

This plugin provides functionality to register and connect to your WordPress via IDer Service.

90 1 unpatched

Single Sign-On – Professional SSO solution for WordPress

single-sign-on-sso

Single Sign-On is a professional SSO extension that works accross different domains, servers and websites. Installed in just a few minutes.

30 No CVEs

Developer Profile

OAuth Single Sign On – SSO (OAuth Client) Developer Profile

miniOrange

41 plugins · 83K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

324 days

View full developer profile

Detection Fingerprints

How We Detect OAuth Single Sign On – SSO (OAuth Client)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/miniorange-login-with-eve-online-google-facebook/js/mo_oauth_client_admin.min.js/wp-content/plugins/miniorange-login-with-eve-online-google-facebook/js/mo_oauth_client_frontend.min.js/wp-content/plugins/miniorange-login-with-eve-online-google-facebook/css/mo_oauth_client_admin.min.css/wp-content/plugins/miniorange-login-with-eve-online-google-facebook/css/mo_oauth_client_frontend.min.css/wp-content/plugins/miniorange-login-with-eve-online-google-facebook/js/customization.min.js

Script Paths

js/mo_oauth_client_admin.min.jsjs/mo_oauth_client_frontend.min.jsjs/customization.min.js

Version Parameters

miniorange-login-with-eve-online-google-facebook/js/mo_oauth_client_admin.min.js?ver=miniorange-login-with-eve-online-google-facebook/js/mo_oauth_client_frontend.min.js?ver=miniorange-login-with-eve-online-google-facebook/css/mo_oauth_client_admin.min.css?ver=miniorange-login-with-eve-online-google-facebook/css/mo_oauth_client_frontend.min.css?ver=miniorange-login-with-eve-online-google-facebook/js/customization.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

mo_oauth_customiztionmo_oauth_app_customizationmo_oauth_customization_headermo_oauth_attribute_map_headingmo_oauth_positionmo_oauth_tooltipmo_oauth_tooltiptextmo_oauth_premium-label+12 more

HTML Comments

/**
 * Customization
 *
 * @package    apps
 * @author     miniOrange <info@miniorange.com>
 * @license    Expat
 * @link       https://miniorange.com
 */

/**
 * Display Customizations options for login button
 */

/**
 * MiniOrange OAuth Client
 *
 * @package    miniOrange-oauth-client
 * @author     miniOrange <info@miniorange.com>
 * @license    Expat
 * @link       https://miniorange.com
 */

/**
 * Plugin Name: OAuth Single Sign On - SSO (OAuth Client)
 * Plugin URI: https://www.miniorange.com
 * Description: This WordPress Single Sign-On plugin allows login into WordPress with your Azure AD B2C, AWS Cognito, Salesforce, Keycloak, Discord, WordPress or other custom OAuth 2.0 / OpenID Connect providers. WordPress OAuth Client plugin works with any Identity provider that conforms to the OAuth 2.0 and OpenID Connect (OIDC) 1.0 standard.
 * Version: 6.26.17
 * Author: miniOrange
 * Author URI: https://www.miniorange.com
 * License: Expat
 * License URI: https://plugins.miniorange.com/mit-license
 * Text Domain: miniorange-login-with-eve-online-google-facebook
 * Domain Path: /languages
 */

+4 more

Data Attributes

id="mo_oauth_customiztion"class="mo_oauth_app_customization"id="mo_oauth_customize_icon"class="mo_oauth_switching_tab mo_active_div_css"id="mo_oauth_write_custom_code"class="mo_oauth_switching_tab"+12 more

JS Globals

MO_OAUTH_CSS_JS_VERSIONMO_OAUTH_CLIENT_PRICING_PLAN

FAQ

OAuth Single Sign On – SSO (OAuth Client) Security & Risk Analysis

Is OAuth Single Sign On – SSO (OAuth Client) Safe to Use in 2026?

Mostly Safe

Key Concerns

OAuth Single Sign On – SSO (OAuth Client) Security Vulnerabilities

CVEs by Year

Severity Breakdown

OAuth Single Sign On – SSO (OAuth Client) Release Timeline

OAuth Single Sign On – SSO (OAuth Client) Code Analysis

Bundled Libraries

Output Escaping

Data Flow Analysis

OAuth Single Sign On – SSO (OAuth Client) Attack Surface

AJAX Handlers 6

Shortcodes 1

Scheduled Events 4

OAuth Single Sign On – SSO (OAuth Client) Maintenance & Trust

Maintenance Signals

Community Trust

OAuth Single Sign On – SSO (OAuth Client) Alternatives

Snapplify Single Sign On

Tim's Nextcloud SSO OAuth2

Lana Single Sign On

IDer Login for WordPress

Single Sign-On – Professional SSO solution for WordPress

OAuth Single Sign On – SSO (OAuth Client) Developer Profile

How We Detect OAuth Single Sign On – SSO (OAuth Client)

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about OAuth Single Sign On – SSO (OAuth Client)