CVE-2026-7617

Secufor_OAuth <= 1.0.7 - Missing Authorization to Unauthenticated Account Logout via 'secuforoauth_unregister_action' AJAX Action

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Secufor_OAuth plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to disconnect the WordPress site from its linked Secufor account by clearing the plugin's stored login token and user login configuration.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.7
PublishedJune 23, 2026
Last updatedJune 24, 2026
Affected pluginwpoauth
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-7617 (Secufor_OAuth) ## 1. Vulnerability Summary The **Secufor_OAuth** plugin (<= 1.0.7) contains a Missing Authorization vulnerability in its AJAX handling logic. The plugin registers the AJAX action `secuforoauth_unregister_action` for unauthenticated users …

Show full research plan

Exploitation Research Plan: CVE-2026-7617 (Secufor_OAuth)

1. Vulnerability Summary

The Secufor_OAuth plugin (<= 1.0.7) contains a Missing Authorization vulnerability in its AJAX handling logic. The plugin registers the AJAX action secuforoauth_unregister_action for unauthenticated users (via the wp_ajax_nopriv_ hook) but fails to implement proper authorization checks (e.g., current_user_can) or cryptographic nonces (e.g., check_ajax_referer). This allows an unauthenticated attacker to remotely trigger the "unregister" functionality, which clears the site's connection to the Secufor OAuth service, effectively disconnecting the site and potentially disrupting user authentication.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: secuforoauth_unregister_action
  • Method: HTTP POST
  • Authentication: Unauthenticated (PR:N)
  • Preconditions: The plugin must be active and ideally configured/linked to a Secufor account (though the exploit will still attempt to clear options even if empty).
  • Parameters:
    • action: secuforoauth_unregister_action
    • _wpnonce: (Potentially required, but likely missing or not validated according to the vulnerability description).

3. Code Flow (Inferred)

  1. Registration: The plugin likely registers the hook in its main file or an initialization class:
    add_action('wp_ajax_secuforoauth_unregister_action', 'secuforoauth_unregister_callback');
    add_action('wp_ajax_nopriv_secuforoauth_unregister_action', 'secuforoauth_unregister_callback');
    
  2. Handler Entry: The function secuforoauth_unregister_callback (inferred name) is invoked.
  3. Missing Check: The handler likely lacks:
    • if (!current_user_can('manage_options')) die();
    • check_ajax_referer('some_action', 'nonce');
  4. The Sink: The function proceeds to clear configuration data:
    delete_option('secufor_oauth_token'); // Inferred option name
    delete_option('secufor_oauth_config'); // Inferred option name
    wp_send_json_success();
    

4. Nonce Acquisition Strategy

Based on the "Missing Authorization" description, it is highly probable that the nonce check is either entirely absent or uses a predictable/publicly exposed nonce.

Step 1: Check for Nonce requirement
Attempt the exploit without a nonce first.

Step 2: If a nonce is required (Inferred Discovery)
If the response is 403 Forbidden or 0, the agent should:

  1. Search the plugin source for wp_localize_script to find where AJAX data is passed to the frontend.
  2. Search for the JavaScript variable name (e.g., secufor_vars or wpoauth_data).
  3. Identify a shortcode or admin page where this script is enqueued.
  4. Create a page with that shortcode:
    wp post create --post_type=page --post_status=publish --post_content='[secufor_login]' (inferred shortcode).
  5. Navigate to the page and extract the nonce:
    browser_eval("window.secufor_vars?.nonce") (inferred variable).

5. Exploitation Strategy

The exploit will attempt to trigger the unregister action via admin-ajax.php.

Request Details:

  • URL: http://<target>/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: action=secuforoauth_unregister_action

Execution Steps:

  1. Initialize Target: Ensure the plugin is installed and "simulated" as configured (see Test Data Setup).
  2. Send Payload: Use http_request to send the POST request.
  3. Analyze Response: A successful unregistration usually returns a JSON success object {"success":true} or redirects/dies with a specific status code.

6. Test Data Setup

To verify the "disconnection," we must first ensure there is something to disconnect.

  1. Install Plugin: wp plugin install wpoauth --version=1.0.7 --activate
  2. Set Mock Configuration: Manually populate the options that the plugin uses to store its OAuth state. (Search the plugin for update_option to find exact keys).
    • wp option update secuforoauth_token "mock_token_12345" (inferred)
    • wp option update secuforoauth_settings '{"client_id":"test","linked":true}' (inferred)
  3. Confirm Setup: wp option get secuforoauth_token should return the mock value.

7. Expected Results

  • HTTP Response: 200 OK with body containing {"success":true} or similar confirmation.
  • Database State: The options identifying the link (e.g., secuforoauth_token) should be deleted or set to empty/null.

8. Verification Steps

After the http_request is sent, use WP-CLI to check if the settings were cleared:

  1. Check for the token: wp option get secuforoauth_token
    • Expected Result: Error: Could not get 'secuforoauth_token' option. or an empty string.
  2. Check for the settings configuration: wp option get secuforoauth_settings
    • Expected Result: Should be modified or deleted.

9. Alternative Approaches

  • Targeting admin_init: If the AJAX action is not the primary sink, check for hooks into admin_init that process $_GET['secufor_unregister'] without capability checks.
  • Referer Bypass: If check_admin_referer is used (which checks nonces AND referers), ensure the Referer header is set to the WordPress admin URL in the http_request.
  • Parameter Bruteforce: If the unregister action requires an ID (e.g., &connection_id=1), iterate through common values, although "unregistering the site" usually implies a global action.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Secufor_OAuth plugin (<= 1.0.7) for WordPress fails to implement authorization checks or nonce validation on its AJAX unregistration handler. This allows unauthenticated attackers to remotely disconnect the WordPress site from its Secufor OAuth account, clearing essential configuration settings and tokens.

Vulnerable Code

/* Inferred from vulnerability description and research plan */
/* File: plugins/wpoauth/secufor-oauth.php (example path) */

add_action('wp_ajax_secuforoauth_unregister_action', 'secuforoauth_unregister_callback');
add_action('wp_ajax_nopriv_secuforoauth_unregister_action', 'secuforoauth_unregister_callback');

function secuforoauth_unregister_callback() {
    delete_option('secufor_oauth_token');
    delete_option('secufor_oauth_config');
    wp_send_json_success();
}

Security Fix

--- a/plugins/wpoauth/secufor-oauth.php
+++ b/plugins/wpoauth/secufor-oauth.php
@@ -1,8 +1,11 @@
 add_action('wp_ajax_secuforoauth_unregister_action', 'secuforoauth_unregister_callback');
-add_action('wp_ajax_nopriv_secuforoauth_unregister_action', 'secuforoauth_unregister_callback');
 
 function secuforoauth_unregister_callback() {
+    check_ajax_referer('secufor_oauth_nonce', 'security');
+
+    if (!current_user_can('manage_options')) {
+        wp_send_json_error('Unauthorized');
+    }
+
     delete_option('secufor_oauth_token');
     delete_option('secufor_oauth_config');
     wp_send_json_success();

Exploit Outline

To exploit this vulnerability, an attacker sends an unauthenticated HTTP POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the 'action' parameter set to 'secuforoauth_unregister_action'. Because the plugin registers this action via the 'wp_ajax_nopriv_' hook and the handler lacks both a capability check (e.g., current_user_can) and a nonce verification (e.g., check_ajax_referer), the server executes the unregistration logic. This results in the deletion of the site's Secufor OAuth tokens and configuration options from the database, effectively severing the connection between the site and the OAuth provider.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.