Vulnerabilities and security researches foroauth2-provider

CVE, Research URL: CVE-2022-3892
Home page URL: Security reports for WP OAuth Server (OAuth Authentication)
Application: WP OAuth Server (OAuth Authentication)
Date: Dec 05, 2022
Research Description: The WP OAuth Server (OAuth Authentication) WordPress plugin before 4.2.2 does not sanitize and escape Client IDs, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-4148
Home page URL: Security reports for WP OAuth Server (OAuth Authentication)
Application: WP OAuth Server (OAuth Authentication)
Date: Mar 20, 2023
Research Description: The WP OAuth Server (OAuth Authentication) WordPress plugin before 4.3.0 has a flawed CSRF and authorisation check when deleting a client, which could allow any authenticated users, such as subscriber to delete arbitrary client.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-31253
Home page URL: Security reports for WP OAuth Server (OAuth Authentication)
Application: WP OAuth Server (OAuth Authentication)
Date: Apr 10, 2024
Research Description: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in WP OAuth Server OAuth Server.This issue affects OAuth Server: from n/a through 4.3.3.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-3894
Home page URL: Security reports for WP OAuth Server (OAuth Authentication)
Application: WP OAuth Server (OAuth Authentication)
Date: Mar 20, 2023
Research Description: The WP OAuth Server (OAuth Authentication) WordPress plugin before 4.2.5 does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2015-9435
Home page URL: Security reports for WP OAuth Server (OAuth Authentication)
Application: WP OAuth Server (OAuth Authentication)
Date: Sep 26, 2019
Research Description: The oauth2-provider plugin before 3.1.5 for WordPress has incorrect generation of random numbers.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-3926
Home page URL: Security reports for WP OAuth Server (OAuth Authentication)
Application: WP OAuth Server (OAuth Authentication)
Date: Dec 05, 2022
Research Description: The WP OAuth Server (OAuth Authentication) WordPress plugin before 3.4.2 does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client ID
Affected versions: Min -, max -.
Status: vulnerable

Vulnerabilities and security researches foroauth2-provider oauth2-provider