CVE-2024-10111
Published
CVSS v3
8.1
HIGH
CVSS v2
N/A
Affected
1
PROJECT
Description
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.26.3. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token.
<p><strong>WordPress Single Sign-On</strong> (WordPress SSO) with our <strong><a href="https://plugins.miniorange.com/wordpress-sso?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_1" rel="nofollow ugc">OAuth & OpenID Connect plugin</a></strong> allows unlimited login/SSO (Single Sign On) with your <strong><a href="https://plugins.miniorange.com/azure-ad-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_2" rel="nofollow ugc">Azure AD</a></strong>, <strong><a href="https://plugins.miniorange.com/azure-b2c-ad-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_3" rel="nofollow ugc">Azure B2C</a></strong>, <strong><a href="https://plugins.miniorange.com/google-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_4" rel="nofollow ugc">G Suite / Google Apps / Google Workspace</a></strong>, <strong><a href="https://plugins.miniorange.com/classlink-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_12" rel="nofollow ugc">ClassLink</a></strong>, <strong><a href="https://plugins.miniorange.com/clever-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_11" rel="nofollow ugc">Clever</a></strong>, <strong><a href="https://plugins.miniorange.com/office-365-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_5" rel="nofollow ugc">Office 365</a></strong>, <strong><a href="https://plugins.miniorange.com/aws-cognito-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_6" rel="nofollow ugc">AWS Cognito</a></strong>, <strong><a href="https://plugins.miniorange.com/discord-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_7" rel="nofollow ugc">Discord</a></strong>, <strong><a href="https://plugins.miniorange.com/ping-federate-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">PingFederate</a></strong>, <strong><a href="https://plugins.miniorange.com/salesforce-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_10" rel="nofollow ugc">Salesforce</a></strong>, <strong><a href="https://plugins.miniorange.com/keycloak-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_9" rel="nofollow ugc">Keycloak</a></strong>, <strong><a href="https://plugins.miniorange.com/okta-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_8" rel="nofollow ugc">Okta</a></strong>, <strong><a href="https://plugins.miniorange.com/identityserver4-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">Identity Server</a></strong>, <strong><a href="https://plugins.miniorange.com/invision-community-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">Invision Community</a></strong> or other custom OAuth 2.0 and OpenID Connect providers. WordPress SSO plugin supports Single Sign On (SSO) with many OAuth 2.0, OAuth 2.1, OAuth 1.0 & OpenID Connect (OIDC) 1.0 providers.</p>
<p>An unlimited number of users can perform Single Sign-On with OAuth/OIDC supported Identity Providers on WordPress using SSO capabilities.</p>
<p>|<a href="https://plugins.miniorange.com/wordpress-sso#key-features" rel="nofollow ugc"> Features </a>| <a href="https://plugins.miniorange.com/wordpress-single-sign-on-sso-with-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_13" rel="nofollow ugc"> OAuth / OpenID Providers Setup guides </a>|<a href="https://youtu.be/Vff0E0KxM3k" rel="nofollow ugc"> Videos </a>|</p>
<h4>POPULAR OAUTH AND OPENID CONNECT (OIDC) PROVIDERS SINGLE SIGN-ON</h4>
<p>The following providers support OAuth 2.0/OpenID Connect SSO for WordPress login.</p>
<ul>
<li><a href="https://plugins.miniorange.com/aws-cognito-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_6" rel="nofollow ugc">AWS Cognito SSO | Login with AWS Cognito</a></li>
<li><a href="https://plugins.miniorange.com/office-365-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_5" rel="nofollow ugc">Office 365 SSO | Login with Office 365</a></li>
<li><a href="https://plugins.miniorange.com/azure-b2c-ad-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_3" rel="nofollow ugc">Azure B2C SSO | Login with Azure B2C</a></li>
<li><a href="https://plugins.miniorange.com/azure-ad-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">Azure AD SSO | Login with Azure AD</a></li>
<li><a href="https://plugins.miniorange.com/adfs-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">ADFS SSO | Login with ADFS</a></li>
<li><a href="https://plugins.miniorange.com/auth0-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">Auth0 SSO | Login with Auth0</a></li>
<li><a href="https://plugins.miniorange.com/okta-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_8" rel="nofollow ugc">OKTA SSO | Login with OKTA</a></li>
<li><a href="https://plugins.miniorange.com/classlink-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_12" rel="nofollow ugc">ClassLink SSO | Login with ClassLink</a></li>
<li><a href="https://plugins.miniorange.com/keycloak-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_9" rel="nofollow ugc">Keycloak SSO | Login with Keycloak</a></li>
<li><a href="https://plugins.miniorange.com/clever-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_11" rel="nofollow ugc">Clever SSO | Login with Clever</a></li>
<li><a href="https://plugins.miniorange.com/google-classroom-single-sign-on-sso" rel="nofollow ugc">Google Classroom SSO | Login with Google Classroom</a></li>
<li><a href="https://plugins.miniorange.com/salesforce-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_10" rel="nofollow ugc">Salesforce SSO | Login with Salesforce</a></li>
<li><a href="https://plugins.miniorange.com/wordpress-oauth-openid-connect-single-sign-on-sso-using-criipto?utm_source=Readme&utm_medium=Readme&utm_campaign=Readme&utm_id=wpor_15" rel="nofollow ugc">Criipto SSO | Login with Criipto</a></li>
<li><a href="https://plugins.miniorange.com/google-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_4" rel="nofollow ugc">G Suite / Google Apps SSO | Login with Google</a></li>
<li><a href="https://plugins.miniorange.com/ping-federate-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">Ping Federate SSO ( Ping / Ping Identity ) | Login with Ping Federate</a></li>
<li><a href="https://plugins.miniorange.com/identityserver4-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">IdentityServer4 SSO | Login with IdentityServer4</a></li>
<li><a href="https://plugins.miniorange.com/identityserver3-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">WordPress IdentityServer3 SSO | Login with IdentityServer3</a></li>
<li><a href="https://plugins.miniorange.com/discord-single-sign-on-wordpress-sso-oauth-openid-connect?utm_source=wordpress_readme&utm_medium=marketplace&utm_campaign=readme_traffic&utm_id=wpor_7" rel="nofollow ugc">Discord SSO | Login with Discord</a></li>
<li><a href="https://plugins.miniorange.com/onelogin-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">OneLogin SSO | Login with OneLogin</a></li>
<li><a href="https://plugins.miniorange.com/swiss-rx-login-single-sign-on-for-wordpress-using-oauth" rel="nofollow ugc">Swiss-RX-Login SSO ( Swiss RX Login ) | Login with Swiss-RX-Login</a></li>
<li><a href="https://plugins.miniorange.com/neon-crm-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">Neon CRM SSO | Login with Neon CRM</a></li>
<li><a href="https://plugins.miniorange.com/imis-oauth-and-openid-connect-single-sign-on-sso" rel="nofollow ugc">iMIS SSO | Login with iMIS</a></li>
<li><a href="https://plugins.miniorange.com/signicat-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">Signicat SSO | User Verification with Signicat</a></li>
<li><a href="https://plugins.miniorange.com/id-me-oauth-and-openid-connect-single-sign-on-sso-login" rel="nofollow ugc">ID.me SSO | Login with ID.me</a></li>
<li><a href="https://plugins.miniorange.com/canvas-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">Canvas SSO | Login with Canvas</a></li>
<li><a href="https://plugins.miniorange.com/guide-to-setup-single-sign-on-between-two-wordpress-sites" rel="nofollow ugc">WordPress SSO | Login with WordPress</a></li>
<li><a href="https://plugins.miniorange.com/wso2-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">WSO2 SSO | Login with WSO2</a></li>
<li><a href="https://plugins.miniorange.com/openathens-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">OpenAthens SSO | Login with OpenAthens</a></li>
<li><a href="https://plugins.miniorange.com/hp-single-sign-on-sso-oauth-and-openid-connect" rel="nofollow ugc">HP SSO | Login with HP</a></li>
<li><a href="https://plugins.miniorange.com/servicenow-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">Servicenow SSO | Login with Servicenow</a></li>
<li><a href="https://plugins.miniorange.com/invision-community-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">Invision Community SSO | Login with Invision Community</a></li>
<li><a href="https://plugins.miniorange.com/forgerock-open-am-single-sign-on-for-wordpress-using-oauth" rel="nofollow ugc">OpenAM / Forgerock SSO | Login with Forgerock</a></li>
<li><a href="https://plugins.miniorange.com/nextcloud-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">NextCloud SSO | Login with NextCloud</a></li>
<li><a href="https://plugins.miniorange.com/orcid-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">Orcid SSO | Login with Orcid</a></li>
<li><a href="https://plugins.miniorange.com/memberclicks-oauth-and-openid-connect-single-sign-on-sso-login" rel="nofollow ugc">Memberclicks SSO | Login with MemberClicks</a></li>
<li><a href="https://plugins.miniorange.com/sheepcrm-oauth-and-openid-connect-single-sign-on-sso-login" rel="nofollow ugc">SheepCRM SSO | Login with SheepCRM</a></li>
<li><a href="https://plugins.miniorange.com/amazon-oauth-and-openid-connect-single-sign-on-sso-login" rel="nofollow ugc">Amazon SSO | Login with Amazon</a></li>
<li><a href="https://plugins.miniorange.com/slack-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">Slack SSO | Login with Slack</a></li>
<li><a href="https://plugins.miniorange.com/yahoo-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">Yahoo SSO | Login with Yahoo</a></li>
<li><a href="https://plugins.miniorange.com/linkedin-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">LinkedIn SSO | Login with LinkedIn</a></li>
<li><a href="https://plugins.miniorange.com/gitlab-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">Gitlab SSO | Login with Gitlab</a></li>
<li><a href="https://plugins.miniorange.com/github-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">GitHub SSO | Login with GitHub</a></li>
<li><a href="https://plugins.miniorange.com/login-with-apple-app-using-wordpress-oauth-client" rel="nofollow ugc">Apple SSO | Login with Apple</a></li>
<li><a href="https://plugins.miniorange.com/strava-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">Strava SSO | Login with Strava</a></li>
<li><a href="https://plugins.miniorange.com/blizzard-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">Blizzard / Battle.net SSO | Login with Battle.net</a></li>
<li><a href="https://plugins.miniorange.com/eve-online-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">Eve Online SSO | Login with Eve Online</a></li>
<li><a href="https://plugins.miniorange.com/hubspot-single-sign-on-for-wordpress-using-oauth" rel="nofollow ugc">Hubspot SSO | Login with Hubspot</a></li>
<li><a href="https://plugins.miniorange.com/twitter-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">X(Twitter) SSO | Login with Twitter</a></li>
<li><a href="https://plugins.miniorange.com/zoho-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">Zoho SSO | Login with Zoho</a></li>
<li><a href="https://plugins.miniorange.com/idaptive-single-sign-on-for-wordpress-using-oauth" rel="nofollow ugc">Idaptive SSO | CyberArk SSO | Login with CyberArk</a></li>
<li><a href="https://plugins.miniorange.com/whmcs-single-sign-on-wordpress-sso-oauth-openid-connect" rel="nofollow ugc">WHMCS SSO | Login with WHMCS</a></li>
<li><a href="https://plugins.miniorange.com/franceconnect-single-sign-on-sso-wordpress-oauth" rel="nofollow ugc">France Connect SSO | Login with France Connect</a></li>
</ul>
<h4>OTHER OAUTH AND OPENID CONNECT (OIDC) PROVIDERS WE SUPPORT FOR WORDPRESS SINGLE SIGN-ON (SSO)</h4>
<ul>
<li>Other OAuth 2.0 and OpenId Connect ( OIDC ) 1.0 servers WordPress Single Sign-On ( SSO ) plugin support includes Office 365, AWS Cognito, Microsoft Dynamic CRM 365, Auth0, Google Workspace, Egnyte, Autodesk, Zendesk, Foursquare, Harvest, Mailchimp, Bitrix24, Spotify, Vkontakte, Huddle, Reddit, Strava, Ustream, Yammer, RunKeeper, Instagram, SoundCloud, Pocket, PayPal, Pinterest, Vimeo, Nest, Heroku, DropBox, Buffer, Box, Hubic, Deezer, DeviantArt, Delicious, Dailymotion, Bitly, Mondo, Netatmo, Amazon, FitBit, Clever, Sqaure Connect, Windows, Microsoft Live, Dash 10, Github, Invision Community, Blizzard, authlete, Keycloak, Procore, Eve Online, Laravel Passport, Nextcloud, Renren, Soundcloud, OpenAM / Forgerock, IdentityServer, ORCID, Diaspora, Timezynk, Idaptive CyberArk, Duo Security, Rippling, Crowd, Janrain, Numina Solutions, Ubuntu Single Sign-On, Apple, Ipsilon, Zoho, Stripe, Itthinx, Fellowshipone, Miro, Naver, Clever, Coil, Parallel Markets, VATSIM, Liferay, Fatsecret, Intuit, iMIS, ORY Hydra, FusionAuth, Kakao, ID.me, MoxiWorks, HR Answerlink / Support center, ClassLink, Google Classroom, MemberClicks, BankID, CSI, Splitwise, Infusionsoft, Hubspot, Join It, MyAcademicID, MemberConnex, Novi, Coassemble, Servicenow, IBM APP ID, Nimble AMS, iSpring LMS, Neon CRM, EPIC, IPB forum, Wiziq, Sprinklr, Elvanto, ABSORB LMS, Wechat, Weibo, Shibboleth, Centrify, FranceConnect, Church Online, Bigcommerce, Sewobe, PracticePanther, SubscribeStar, Eventbrite, Medi-Access, Lichess, CILogon, Servicem8, Gigya, PhantAuth, XING, Simplecast, SURF, MediaWiki, UNA, NetSuite, Oracle IDCS, Globus, Square, SimpleSAMLphp, Basecamp, HP, SHELL, Otoy, Steam, Webflow, Simplepass, Feide, SingPass, Asmodee, SwissID, Miro, Alkami, Switch, Citrix, Schoology, iGov, LearnWorlds, France Connect, DID, Blackboard, UAEPass, Polar, CodeB, Vincere CRM, F5, TicketMaster, BizLibrary, Skolon, Rapattoni, PowerSchool, Minecraft, NETS, Joomla, Drupal, ASP.NET, CA Siteminder, Outseta, XUMM, ID Austria, Ubisecure, Gravitee.io, SheepCRM, Wahoo, WeatherFlow Tempest, OneWelcome / iWelcome, Xbox, Trovo, Cornerstone, Criipto, bare.id, Discourse, Authentik, Sailpoint, Coil, Asset Bank, GrowthZone, Vipps, Authorizer, Deviant Art, Miracl, Teamsnap, Authelia, Django, IDsampa, Cvent, SERMO, Pixelfed, Finys, Login.gov, Fastcase, Acuity, ARPA, Zitadel, Yeti, myID.be, memberful,Open edX / eduNEXT, Teachable, Mindbody etc. This comprehensive SSO support facilitates seamless integration and secure authentication across a wide range of platforms.</li>
</ul>
<h4>WordPress Single Sign-On ( Login to WordPress )</h4>
<p>WordPress Single Sign-On allows users to log into any website/application using the single set of credentials of another app/site through the SSO feature.<br />
<strong>Example:</strong>Let’s say you have all your users/customers/members/employees stored on a site, called ‘site A’ and you want all of them to register/login using SSO to your WordPress site called ‘site B’. In this scenario, you can register/login all your users of site A into site B using the login credentials/account of site A. This is called Single Sign-On, and it simplifies user management.</p>
<h4>WordPress Single Sign-On supported Third-Party Application / OAuth OpenID Provider</h4>
<ul>
<li>The Third-Party Application can be anything where user accounts are stored or a site/application where you want to store/migrate all the users. It can be your social login app, WordPress site, OAuth provider, OpenID provider, custom provider or any database.</li>
<li>
<p>Identity providers such as OAuth Identity Provider, OAuth Server, OpenID Connect Server, OpenID Connect Provider, and OIDC Application support Single Sign-On. SSO integration ensures secure user authentication and management across these platforms.</p>
</li>
<li>
<p>OAuth and OpenID Connect are token-based Single Sign-On protocols that allow an end user’s account information to be used by third-party services without exposing the user’s password.</p>
</li>
</ul>
<h4>WordPress Single Sign-On USE CASES</h4>
<ul>
<li><strong>WordPress to WordPress SSO</strong>: Single Sign On to one/multiple WordPress site (single/multisite) using User Credentials stored on another WordPress site with WordPress SSO plugin.</li>
<li>Single Sign On to one/multiple WordPress site (single / multisite) using User Credentials stored on your OAuth / OpenID Connect (OIDC) application.</li>
<li>Single Sign On into WordPress using existing User stores (Active Directory/Database)</li>
<li>SSO and extended plugin functionality using tokens (access_token / JWT token / id_token) such as secure API calls using third-party token</li>
<li>Others: eCommerce Single Sign On/Login, Single sign on for Educational and Healthcare paltforms</li>
</ul>
<p><strong>Microsoft SSO/Azure SSO</strong></p>
<p>This WordPress Single Sign-On (OAuth / OpenID Connect SSO) plugin supports SSO with Microsoft apps like Azure AD, Azure B2C, Office 365, Microsoft Dynamics CRM, Microsoft Teams, and Windows Live. It also supports policy-based login redirections, including sign-up, sign-in, forgot password, and custom policies, enhancing the login experience across Microsoft services.</p>
<p>WordPress integrates with Microsoft services like Azure AD, Azure B2C, and Office 365 for secure Single Sign-On across single-site a
WordPress Plugin Directory