This access token can then be used to request any type of resource on the website that the user has access to. This could be anything from adding new users to editing their profile information, changing their email address, and so on. The attacker cannot access any other data on the website, such as their user roles, their private messages, their settings, or their posts. This attack can be mitigated by making sure that your WordPress installation is not publicly accessible via a web server.

There are two ways to prevent this attack: 1) Use a self-hosted WordPress solution, or 2) Use a hosted WordPress solution that uses strict security protocols. The OAuth Single Sign On WordPress plugin before 6.22.6 doesn't validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user's email address.

Timeline

Published on: 07/17/2022 11:15:00 UTC
Last modified on: 07/18/2022 11:23:00 UTC

References