VYPR

OAuth Single Sign On

by Miniorange

Source repositories

CVEs (6)

  • CVE-2025-9485CriOct 4, 2025
    risk 0.57cvss 9.8epss 0.01

    The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation…

  • CVE-2022-34155HigJul 18, 2023
    risk 0.57cvss 8.8epss 0.01

    Improper Authentication vulnerability in miniOrange OAuth Single Sign On – SSO (OAuth Client) plugin allows Authentication Bypass.This issue affects OAuth Single Sign On – SSO (OAuth Client): from n/a through 6.23.3.

  • CVE-2024-10111HigDec 12, 2024
    risk 0.53cvss 8.1epss 0.01

    The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.26.3. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for…

  • CVE-2025-10753MedFeb 6, 2026
    risk 0.34cvss 5.3epss 0.00

    The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. This is due to missing capability checks and authentication verification on the OAuth redirect functionality accessible via…

  • CVE-2025-10752MedSep 26, 2025
    risk 0.28cvss 4.3epss 0.00

    The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state parameter (base64 encoded app name) without any randomness in the OAuth flow.…

  • CVE-2023-1092Mar 27, 2023
    risk 0.00cvss epss 0.00

    The OAuth Single Sign On Free WordPress plugin before 6.24.2, OAuth Single Sign On Standard WordPress plugin before 28.4.9, OAuth Single Sign On Premium WordPress plugin before 38.4.9 and OAuth Single Sign On Enterprise WordPress plugin before 48.4.9 do not have CSRF checks when…