OAuth Single Sign On – SSO (OAuth Client) <= 6.26.14 - Missing Authorization

This research plan targets CVE-2025-10753, a missing authorization vulnerability in the OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress.

---

1. Vulnerability Summary

The vulnerability exists in the plugin's handling of OAuth-related redirect parameters. Specifically, the plugin listens for a specific query parameter (option) and, when set to oauthredirect, processes a redirect_url parameter to update a global WordPress option. Because this process lacks both authentication and authorization (current_user_can) checks, an unauthenticated attacker can modify the site's OAuth redirect configuration, potentially leading to Open Redirects or hijacking the authentication flow for legitimate users.

2. Attack Vector Analysis

• Endpoint: The site root (/) or any page triggering WordPress's init or plugins_loaded hooks.
• Trigger Parameter: option=oauthredirect
• Payload Parameter: redirect_url=[URL]
• Authentication: None (Unauthenticated).
• Preconditions: The plugin must be active.

3. Code Flow (Inferred)

Based on the vulnerability description and common patterns in the MiniOrange OAuth Client plugin:

1. Entry Point: The plugin likely registers a listener on the init or admin_init hook (or early in the constructor of its main class).
2. Hook Registration: add_action('init', 'mo_oauth_handle_all_actions'); (or similar function name).
3. Parameter Check: Inside the handler, the code checks:

   if (isset($_REQUEST['option']) && $_REQUEST['option'] == 'oauthredirect') {
       $redirect_url = $_REQUEST['redirect_url'];
       // Vulnerable Sink
       update_option('mo_oauth_redirect_url', $redirect_url); 
   }
   

4. The Flaw: The code block above lacks any call to is_user_logged_in(), current_user_can(), or check_admin_referer()/wp_verify_nonce().

4. Nonce Acquisition Strategy

According to the "Missing Authorization" and "Unauthenticated" classification for this specific CVE, the endpoint is likely designed to handle incoming redirects from OAuth providers (which cannot provide WordPress-specific nonces).

• Nonce Requirement: None (Expected).
• Strategy: If the exploit fails due to a missing nonce, check the page source of the login page (/wp-login.php) for localized scripts like mo_oauth_ajax_object or mo_oauth_admin_ajax. However, for this specific "Missing Authorization" bug on a redirect handler, it is highly probable that no nonce check exists.

5. Exploitation Strategy

The goal is to modify the mo_oauth_redirect_url (or equivalent) option remotely.

Step 1: Identify the exact option name
Since source code is not provided, we will test the most likely MiniOrange option keys.

• Common keys: mo_oauth_redirect_url, mo_oauth_client_redirect_url.

Step 2: Send the Exploitation Request
Use the http_request tool to send a GET request to the WordPress root.

• Request URL: http://[target-ip]/?option=oauthredirect&redirect_url=https://attacker-controlled.com/evil-callback
• Method: GET (or POST if GET is blocked)
• Headers: Standard User-Agent. No cookies required.

Step 3: Verification
After the request, we will check if the global option in the database has changed.

6. Test Data Setup

1. Install Plugin: Ensure miniorange-login-with-eve-online-google-facebook version <= 6.26.14 is installed.
2. Plugin Activation: The plugin must be active.
3. Initial State: Check the current value of the redirect option:
   wp option get mo_oauth_redirect_url

7. Expected Results

• HTTP Response: A 200 OK or a 302 Redirect (depending on if the plugin redirects the user after setting the option).
• System State: The WordPress database option responsible for storing the OAuth redirect URL will be updated to https://attacker-controlled.com/evil-callback.

8. Verification Steps

Execute the following wp-cli command to verify the attack success:

# Check the specific option modified by the plugin
wp option get mo_oauth_redirect_url

If the command returns https://attacker-controlled.com/evil-callback, the exploit is successful.

9. Alternative Approaches

If mo_oauth_redirect_url is not the correct option name, investigate other potential keys:

1. Search the plugin folder for update_option calls:
   grep -r "update_option" /var/www/html/wp-content/plugins/miniorange-login-with-eve-online-google-facebook/
2. Look for the specific string oauthredirect in the codebase:
   grep -r "oauthredirect" /var/www/html/wp-content/plugins/miniorange-login-with-eve-online-google-facebook/
   This will reveal the exact function handling the request and the option key it modifies.
3. Check for admin_init vs init: If GET /?option=... doesn't work, try GET /wp-admin/admin-post.php?option=oauthredirect... or GET /wp-admin/admin-ajax.php?option=oauthredirect.... Some plugins incorrectly assume admin_init only runs for admins, whereas it actually runs for any request to admin-ajax.php or admin-post.php.