CVE-2022-3926: WP OAuth Server < 3.4.2 - Client Secret Regeneration via CSRF
First published: Mon Dec 05 2022(Updated: )
The WP OAuth Server (OAuth Authentication) WordPress plugin before 3.4.2 does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client ID
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Codexshaper Wp Oauth2 Server | <3.4.2 | |
| <3.4.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2022-3926?
The severity of CVE-2022-3926 is considered high due to the potential for attackers to compromise admin secrets.
How do I fix CVE-2022-3926?
To fix CVE-2022-3926, update the WP OAuth Server plugin to version 3.4.2 or later.
What versions of the WP OAuth Server plugin are affected by CVE-2022-3926?
CVE-2022-3926 affects all versions of the WP OAuth Server plugin before 3.4.2.
What type of attack can CVE-2022-3926 enable?
CVE-2022-3926 can enable attackers to force logged-in admins to regenerate OAuth client secrets.
Is user authentication at risk due to CVE-2022-3926?
Yes, CVE-2022-3926 poses a risk to user authentication by allowing attackers to manipulate secret regeneration.
- agent/references
- agent/author
- agent/severity
- agent/title
- agent/weakness
- agent/type
- agent/description
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/wp-oauth
- canonical/codexshaper wp oauth2 server