CVE-2025-10753
OAuth Single Sign On – SSO (OAuth Client) <= 6.26.14 - Missing Authorization
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. This is due to missing capability checks and authentication verification on the OAuth redirect functionality accessible via the 'oauthredirect' option parameter. This makes it possible for unauthenticated attackers to set the global redirect URL option via the redirect_url parameter granted they can access the site directly.
| CWE | CWE-862 |
| Vendor | cyberlord92 |
| Product | oauth single sign on – sso (oauth client) |
| Published | Feb 6, 2026 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for cyberlord92 oauth single sign on – sso (oauth client)
Be the first to know when new medium vulnerabilities affecting cyberlord92 oauth single sign on – sso (oauth client) are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
cyberlord92 / OAuth Single Sign On – SSO (OAuth Client)
0 ≤ 6.26.14
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/915e1a6e-ad9c-4849-8ae0-3ded18720a1f?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L260 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399223%40miniorange-login-with-eve-online-google-facebook&new=3399223%40miniorange-login-with-eve-online-google-facebook&sfp_email=&sfph_mail=
Credits
Jonas Benjamin Friedli