OAuth Single Sign On < 6.22.6 - Authentication Bypass

An attacker who knows a target user's email address can send a crafted OAuth access token request to the WordPress site. The plugin fails to validate the legitimacy of these requests, so the attacker can authenticate as that user without possessing the actual OAuth credentials or authorization from the identity provider [ref_id=1]. This bypasses the intended authentication flow and allows the attacker to log into the site as any user whose email address they know [CWE-287].

The advisory does not specify exact files or functions. The plugin is identified as "miniorange-login-with-eve-online-google-facebook" (OAuth Single Sign On) [ref_id=1]. The vulnerable component is the OAuth access token request handling logic.

The advisory states the vulnerability is fixed in version 6.22.6 of the plugin [ref_id=1]. No patch diff is provided in the bundle. The fix presumably adds validation to ensure that OAuth access token requests are legitimate — for example, verifying that the token was issued by the expected authorization server and corresponds to the user attempting to log in — thereby preventing attackers from authenticating using only a known email address.