A critical vulnerability has been identified in the OAuth Single Sign On – SSO plugin for WordPress, which could allow an unauthenticated attacker to bypass authentication controls. By forging a cryptographic signature, an attacker could impersonate any user, including administrators, leading to a complete compromise of the affected website. This could result in data theft, website defacement, and further attacks originating from the compromised system.

The vulnerability exists due to an improper verification of cryptographic signatures within the OAuth/OIDC authentication process. The plugin fails to correctly validate the signature of the identity token provided by the identity provider. An unauthenticated attacker can exploit this by crafting a malicious token with a forged signature and sending it to the WordPress site. The vulnerable plugin will accept the invalid signature, granting the attacker an authenticated session as the user they are impersonating, potentially including administrative accounts.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the high potential for significant business disruption. Successful exploitation grants an attacker unauthorized access to the WordPress application, potentially with the highest level of privileges. The consequences include, but are not limited to, theft of sensitive user data and intellectual property, unauthorized content modification or deletion, installation of malicious software, and reputational damage. A compromised website could also be used to launch further attacks against customers or other internal systems, posing a severe risk to the organization's security posture and business continuity.

Immediate Action:

• Immediately update The OAuth Single Sign On – SSO (OAuth Client) plugin to the latest patched version on all affected WordPress instances.
• After patching, review all user accounts, especially administrative accounts, for any signs of unauthorized access or modification.
• Thoroughly review WordPress access logs and server logs for any unusual authentication events or requests targeting the SSO functionality that occurred prior to patching.

Proactive Monitoring:

• Implement continuous monitoring of authentication logs for anomalies, such as logins from unusual IP addresses or geographic locations, rapid changes in user agent strings, or successful logins for accounts that have been inactive.
• Monitor for unauthorized creation of new administrative accounts or unexpected privilege escalations for existing accounts.
• Configure alerts for multiple failed login attempts followed by a sudden successful authentication, which could indicate a successful exploit.

Compensating Controls:

• If immediate patching is not feasible, consider temporarily disabling the plugin to remove the attack vector until the update can be applied.
• Implement a Web Application Firewall (WAF) with rules specifically designed to inspect and block malformed or forged authentication tokens.
• Restrict access to the WordPress administrative dashboard (/wp-admin) to trusted IP addresses only.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the risk of complete system compromise, it is imperative that organizations address this vulnerability with the highest priority. We strongly recommend immediately applying the vendor-supplied patch to all affected systems. Although there is no evidence of active exploitation at this time, the window for a potential attack is small. Organizations should treat this as an active threat and assume that an exploit will become publicly available in the near future.