Vulnerabilities and security researches forminiorange-login-with-eve-online-google-facebook miniorange-login-with-eve-online-google-facebook

Nov 10, 2025

CVE, Research URL: CVE-2025-10752
Home page URL: Security reports for OAuth Single Sign On – SSO (OAuth Client)
Application: OAuth Single Sign On – SSO (OAuth Client)
Date: Sep 26, 2025
Research Description: The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state parameter (base64 encoded app name) without any randomness in the OAuth flow. This makes it possible for unauthenticated attackers to forge OAuth authorization requests and potentially hijack the OAuth flow via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 6.26.13.
Status: vulnerable

Oct 11, 2025

CVE, Research URL: CVE-2025-9485
Home page URL: Security reports for OAuth Single Sign On – SSO (OAuth Client)
Application: OAuth Single Sign On – SSO (OAuth Client)
Date: Oct 04, 2025
Research Description: The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.
Affected versions: max 6.26.13.
Status: vulnerable

Dec 13, 2024

CVE, Research URL: CVE-2024-10111
Home page URL: Security reports for OAuth Single Sign On – SSO (OAuth Client)
Application: OAuth Single Sign On – SSO (OAuth Client)
Date: Dec 12, 2024
Research Description: The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.26.3. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token.
Affected versions: max 6.26.3.
Status: vulnerable

Jun 06, 2024

CVE, Research URL: CVE-2022-2133
Home page URL: Security reports for OAuth Single Sign On – SSO (OAuth Client)
Application: OAuth Single Sign On – SSO (OAuth Client)
Date: Jul 17, 2022
Research Description: The OAuth Single Sign On WordPress plugin before 6.22.6 doesn't validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user's email address.
Affected versions: max 6.24.2.
Status: vulnerable

CVE, Research URL: CVE-2022-34155
Home page URL: Security reports for OAuth Single Sign On – SSO (OAuth Client)
Application: OAuth Single Sign On – SSO (OAuth Client)
Date: Jul 18, 2023
Research Description: Improper Authentication vulnerability in miniOrange OAuth Single Sign On – SSO (OAuth Client) plugin allows Authentication Bypass.This issue affects OAuth Single Sign On – SSO (OAuth Client): from n/a through 6.23.3.
Affected versions: max 6.20.3.
Status: vulnerable

CVE, Research URL: CVE-2023-1092
Home page URL: Security reports for OAuth Single Sign On – SSO (OAuth Client)
Application: OAuth Single Sign On – SSO (OAuth Client)
Date: Mar 27, 2023
Research Description: The OAuth Single Sign On Free WordPress plugin before 6.24.2, OAuth Single Sign On Standard WordPress plugin before 28.4.9, OAuth Single Sign On Premium WordPress plugin before 38.4.9 and OAuth Single Sign On Enterprise WordPress plugin before 48.4.9 do not have CSRF checks when deleting Identity Providers (IdP), which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack
Affected versions: max 6.24.2.
Status: vulnerable

CVE, Research URL: CVE-2023-1093
Home page URL: Security reports for OAuth Single Sign On – SSO (OAuth Client)
Application: OAuth Single Sign On – SSO (OAuth Client)
Date: Mar 27, 2023
Research Description: The OAuth Single Sign On WordPress plugin before 6.24.2 does not have CSRF checks when discarding Identify providers (IdP), which could allow attackers to make logged in admins delete all IdP via a CSRF attack
Affected versions: max 6.24.2.
Status: vulnerable