The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress, developed by cyberlord92, suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-10752. This vulnerability exists in all plugin versions up to and including 6.26.12. The root cause is the use of a predictable state parameter in the OAuth authorization flow, which is simply the base64 encoded application name without any added randomness or nonce. The state parameter in OAuth is intended to prevent CSRF by binding the authorization request to a user session; however, the predictability here allows attackers to forge valid OAuth requests. An attacker, without authentication, can craft a malicious link that, if clicked by a site administrator, triggers an unauthorized OAuth authorization request. This can lead to hijacking or manipulation of the OAuth flow, potentially allowing attackers to perform unauthorized actions or gain elevated access through the compromised OAuth session. The vulnerability impacts the integrity of the authentication process but does not directly expose confidential data or cause denial of service. The CVSS v3.1 score of 4.3 reflects a medium severity, with no privileges required but user interaction necessary. No patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly. The issue highlights the importance of using unpredictable, random state parameters in OAuth implementations to prevent CSRF attacks.

The primary impact of this vulnerability is on the integrity of the OAuth authentication process within WordPress sites using the affected plugin. Successful exploitation could allow attackers to hijack OAuth authorization flows, potentially granting unauthorized access or performing actions on behalf of administrators. This could lead to unauthorized account linking, privilege escalation, or unauthorized access to connected services relying on OAuth. While confidentiality and availability impacts are limited, the integrity compromise can undermine trust in authentication and session management, possibly leading to further exploitation or lateral movement within affected environments. Organizations relying on this plugin for single sign-on functionality face risks of unauthorized access and potential compromise of user accounts or connected applications. The medium CVSS score reflects the need for attention but indicates that exploitation requires user interaction and is not trivially automated.

1. Update the OAuth Single Sign On – SSO (OAuth Client) plugin to a version that addresses this vulnerability once available. Monitor vendor announcements for patches. 2. If immediate patching is not possible, implement web application firewall (WAF) rules to detect and block suspicious OAuth authorization requests that lack proper state validation or originate from unexpected sources. 3. Educate site administrators to avoid clicking on untrusted or suspicious links, especially those related to OAuth authorization flows. 4. Modify the plugin code (if feasible) to introduce a cryptographically secure, random nonce in the state parameter to ensure unpredictability and proper CSRF protection. 5. Employ additional OAuth security best practices, such as validating redirect URIs strictly and monitoring OAuth logs for unusual authorization requests. 6. Consider implementing multi-factor authentication (MFA) for administrative accounts to reduce the impact of potential session hijacking. 7. Regularly audit OAuth-related configurations and logs to detect anomalies indicative of exploitation attempts.