What the vulnerability does
01Description
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.
Explanation of Vulnerability in Simple Terms
02Summary
The OAuth Single Sign On plugin contains a cryptographic signature verification flaw that allows attackers to forge authentication tokens without valid credentials. An attacker can bypass login mechanisms and gain unauthorized access to any user account, including administrators. No user interaction or authentication is required to exploit this vulnerability. All versions up to 6.26.12 are affected.
What an attacker can do
03Attacker Capabilities
Forge OAuth tokens to log in as any user, including site administrators, without knowing their password.
Potential impact on your site
04Site Impact
Attackers can take over any user account on your site, including admin accounts, and modify content or steal data.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
October 4, 2025
CVE published
April 8, 2026
Record updated