A high-severity vulnerability has been identified in the Cloud SAML SSO plugin for WordPress, which could allow an unauthorized user to modify critical organization settings. This flaw exists because the plugin fails to properly check user permissions before allowing changes, creating a risk of security misconfiguration, authentication bypass, or data manipulation. Organizations using this plugin should apply the recommended update immediately to prevent potential exploitation.

The vulnerability is a missing capability check within the csso_handle_actions() function of the plugin. Specifically, when the function is called with the set_organization_settings action, it does not verify if the user initiating the request has the appropriate administrative privileges. A low-privileged authenticated attacker, such as a subscriber, can craft a malicious request to this function to modify the plugin's organizational settings, potentially altering SAML SSO configurations without authorization.

This vulnerability is rated as High severity with a CVSS score of 8.2. Successful exploitation could lead to significant business disruption and security compromise. An attacker could modify Single Sign-On (SSO) settings to lock out legitimate administrators, redirect users to malicious identity providers to steal credentials, or disable security features, thereby weakening the overall security posture of the WordPress site. This poses a direct risk to the confidentiality, integrity, and availability of the application and its associated user data.

Immediate Action: Immediately update the Cloud SAML SSO plugin to the latest available version, which will be a version greater than 1. If the plugin is not essential for business operations, consider deactivating and removing it to eliminate the attack surface entirely.

Proactive Monitoring: Monitor web server access logs for POST requests targeting the WordPress AJAX handler (/wp-admin/admin-ajax.php) that contain the action=set_organization_settings parameter. Scrutinize any such requests originating from IP addresses or user accounts that do not have administrative privileges. A sudden change in the plugin's configuration files should also trigger an alert.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block or flag requests containing the set_organization_settings action from non-administrative users. Additionally, enforce the principle of least privilege for all WordPress user accounts, ensuring users only have the permissions necessary for their roles.

Public Exploit Available: false

Given the high CVSS score of 8.2, organizations are strongly advised to treat this vulnerability with high priority. The potential for an authenticated, low-privileged user to escalate privileges or compromise the site's authentication mechanism presents a significant risk. Although this CVE is not currently listed on the CISA KEV catalog, immediate patching is the most effective mitigation. All instances of the Cloud SAML SSO plugin should be identified and updated without delay.