CVE-2022-4148

Summary

The WP OAuth Server (OAuth Authentication) WordPress plugin before 4.3.0 has a flawed CSRF and authorisation check when deleting a client, which could allow any authenticated users, such as subscriber to delete arbitrary client.

Affected Software

VendorProductVersion RangeStatus
UnknownWP OAuth Server (OAuth Authentication)0 < 4.3.0affected

Weaknesses

  • CWE-862 Missing Authorization
  • CWE-352 Cross-Site Request Forgery (CSRF)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References