[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDj_QIDaEdf5KXIHzv1DF4oQIeYElY2wrbSwyitwGThw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-10753","oauth-single-sign-on-sso-oauth-client-missing-authorization-2","OAuth Single Sign On – SSO (OAuth Client) \u003C= 6.26.14 - Missing Authorization","The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. This is due to missing capability checks and authentication verification on the OAuth redirect functionality accessible via the 'oauthredirect' option parameter. This makes it possible for unauthenticated attackers to set the global redirect URL option via the redirect_url parameter granted they can access the site directly.","miniorange-login-with-eve-online-google-facebook",null,"\u003C=6.26.14","6.26.15","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-05 18:30:28","2026-02-06 06:46:32",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F915e1a6e-ad9c-4849-8ae0-3ded18720a1f?source=api-prod",1,[],"researched",false,3,"This research plan targets **CVE-2025-10753**, a missing authorization vulnerability in the **OAuth Single Sign On – SSO (OAuth Client)** plugin for WordPress.\n\n---\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the plugin's handling of OAuth-related redirect parameters. Specifically, the plugin listens for a specific query parameter (`option`) and, when set to `oauthredirect`, processes a `redirect_url` parameter to update a global WordPress option. Because this process lacks both authentication and authorization (`current_user_can`) checks, an unauthenticated attacker can modify the site's OAuth redirect configuration, potentially leading to Open Redirects or hijacking the authentication flow for legitimate users.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** The site root (`\u002F`) or any page triggering WordPress's `init` or `plugins_loaded` hooks.\n* **Trigger Parameter:** `option=oauthredirect`\n* **Payload Parameter:** `redirect_url=[URL]`\n* **Authentication:** None (Unauthenticated).\n* **Preconditions:** The plugin must be active.\n\n### 3. Code Flow (Inferred)\nBased on the vulnerability description and common patterns in the MiniOrange OAuth Client plugin:\n\n1. **Entry Point:** The plugin likely registers a listener on the `init` or `admin_init` hook (or early in the constructor of its main class).\n2. **Hook Registration:** `add_action('init', 'mo_oauth_handle_all_actions');` (or similar function name).\n3. **Parameter Check:** Inside the handler, the code checks:\n ```php\n if (isset($_REQUEST['option']) && $_REQUEST['option'] == 'oauthredirect') {\n $redirect_url = $_REQUEST['redirect_url'];\n \u002F\u002F Vulnerable Sink\n update_option('mo_oauth_redirect_url', $redirect_url); \n }\n ```\n4. **The Flaw:** The code block above lacks any call to `is_user_logged_in()`, `current_user_can()`, or `check_admin_referer()`\u002F`wp_verify_nonce()`.\n\n### 4. Nonce Acquisition Strategy\nAccording to the \"Missing Authorization\" and \"Unauthenticated\" classification for this specific CVE, the endpoint is likely designed to handle incoming redirects from OAuth providers (which cannot provide WordPress-specific nonces). \n* **Nonce Requirement:** None (Expected).\n* **Strategy:** If the exploit fails due to a missing nonce, check the page source of the login page (`\u002Fwp-login.php`) for localized scripts like `mo_oauth_ajax_object` or `mo_oauth_admin_ajax`. However, for this specific \"Missing Authorization\" bug on a redirect handler, it is highly probable that no nonce check exists.\n\n### 5. Exploitation Strategy\nThe goal is to modify the `mo_oauth_redirect_url` (or equivalent) option remotely.\n\n**Step 1: Identify the exact option name**\nSince source code is not provided, we will test the most likely MiniOrange option keys.\n* Common keys: `mo_oauth_redirect_url`, `mo_oauth_client_redirect_url`.\n\n**Step 2: Send the Exploitation Request**\nUse the `http_request` tool to send a GET request to the WordPress root.\n\n* **Request URL:** `http:\u002F\u002F[target-ip]\u002F?option=oauthredirect&redirect_url=https:\u002F\u002Fattacker-controlled.com\u002Fevil-callback`\n* **Method:** `GET` (or `POST` if `GET` is blocked)\n* **Headers:** Standard `User-Agent`. No cookies required.\n\n**Step 3: Verification**\nAfter the request, we will check if the global option in the database has changed.\n\n### 6. Test Data Setup\n1. **Install Plugin:** Ensure `miniorange-login-with-eve-online-google-facebook` version `\u003C= 6.26.14` is installed.\n2. **Plugin Activation:** The plugin must be active.\n3. **Initial State:** Check the current value of the redirect option:\n `wp option get mo_oauth_redirect_url`\n\n### 7. Expected Results\n* **HTTP Response:** A `200 OK` or a `302 Redirect` (depending on if the plugin redirects the user after setting the option).\n* **System State:** The WordPress database option responsible for storing the OAuth redirect URL will be updated to `https:\u002F\u002Fattacker-controlled.com\u002Fevil-callback`.\n\n### 8. Verification Steps\nExecute the following `wp-cli` command to verify the attack success:\n```bash\n# Check the specific option modified by the plugin\nwp option get mo_oauth_redirect_url\n```\nIf the command returns `https:\u002F\u002Fattacker-controlled.com\u002Fevil-callback`, the exploit is successful.\n\n### 9. Alternative Approaches\nIf `mo_oauth_redirect_url` is not the correct option name, investigate other potential keys:\n1. **Search the plugin folder for `update_option` calls:**\n `grep -r \"update_option\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fminiorange-login-with-eve-online-google-facebook\u002F`\n2. **Look for the specific string `oauthredirect` in the codebase:**\n `grep -r \"oauthredirect\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fminiorange-login-with-eve-online-google-facebook\u002F`\n This will reveal the exact function handling the request and the option key it modifies.\n3. **Check for `admin_init` vs `init`:** If `GET \u002F?option=...` doesn't work, try `GET \u002Fwp-admin\u002Fadmin-post.php?option=oauthredirect...` or `GET \u002Fwp-admin\u002Fadmin-ajax.php?option=oauthredirect...`. Some plugins incorrectly assume `admin_init` only runs for admins, whereas it actually runs for any request to `admin-ajax.php` or `admin-post.php`.","The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized modification of its configuration because it lacks capability checks and nonce verification on a specific administrative action. Unauthenticated attackers can exploit this to change the global OAuth redirect URL by sending a crafted request with the 'oauthredirect' option parameter.","\u002F\u002F In the plugin's main handler or initialization logic, likely in an 'init' or 'admin_init' hook\n\nif (isset($_REQUEST['option']) && $_REQUEST['option'] == 'oauthredirect') {\n if (isset($_REQUEST['redirect_url'])) {\n $redirect_url = $_REQUEST['redirect_url'];\n \u002F\u002F Vulnerable Sink: Updates a global site option without authorization\n update_option('mo_oauth_redirect_url', $redirect_url);\n }\n}","--- a\u002Fminiorange-login-with-eve-online-google-facebook\u002Fmo_oauth_handler.php\n+++ b\u002Fminiorange-login-with-eve-online-google-facebook\u002Fmo_oauth_handler.php\n@@ -1,5 +1,5 @@\n-if (isset($_REQUEST['option']) && $_REQUEST['option'] == 'oauthredirect') {\n+if (isset($_REQUEST['option']) && $_REQUEST['option'] == 'oauthredirect' && current_user_can('manage_options')) {\n+ check_admin_referer('mo_oauth_redirect_nonce');\n if (isset($_REQUEST['redirect_url'])) {\n update_option('mo_oauth_redirect_url', $_REQUEST['redirect_url']);\n }","The exploit targets the global configuration update logic triggered by the 'option' parameter. An unauthenticated attacker sends a GET or POST request to the WordPress root URL (or any URL triggering the 'init' hook) with the query parameters 'option=oauthredirect' and 'redirect_url=[ATTACKER_URL]'. Because the plugin does not verify if the user has 'manage_options' capabilities or validate a security nonce, it proceeds to update the 'mo_oauth_redirect_url' WordPress option with the attacker-supplied URL. This allows the attacker to hijack OAuth authentication flows or facilitate open redirects for legitimate users.","gemini-3-flash-preview","2026-04-21 03:55:56","2026-04-21 03:57:37",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","6.26.14","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fminiorange-login-with-eve-online-google-facebook\u002Ftags\u002F6.26.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fminiorange-login-with-eve-online-google-facebook.6.26.14.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fminiorange-login-with-eve-online-google-facebook\u002Ftags\u002F6.26.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fminiorange-login-with-eve-online-google-facebook.6.26.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fminiorange-login-with-eve-online-google-facebook\u002Ftags"]