CVE-2024-10111: 
WordPress vulnerability analysis and mitigation

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress contains an authentication bypass vulnerability (CVE-2024-10111) affecting all versions up to and including 6.26.3. The vulnerability stems from insufficient verification of users returned by social login tokens (NVD).

The vulnerability is caused by insufficient verification of the user being returned by the social login token. This security flaw allows unauthenticated attackers to log in as any existing user on the site, including administrators, if they have access to the username and the user does not have an already-existing account for the service returning the token. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows unauthorized users to bypass authentication controls and potentially gain administrative access to WordPress sites running the affected plugin. This could lead to complete site compromise, as attackers could gain the same privileges as any existing user on the site (NVD).

Site administrators should immediately update the OAuth Single Sign On – SSO (OAuth Client) plugin to a version newer than 6.26.3 to address this vulnerability. The issue has been fixed in subsequent releases (WordPress Plugin).