CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47670 – WordPress WordPress Social Login and Register <= 7.6.10 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-47670
21 May 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange WordPress Social Login and Register allows PHP Local File Inclusion. This issue affects WordPress Social Login and Register: from n/a through 7.6.10. The WordPress Social Login and Register plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 7.6.10. This makes it possible for unauthenticated attackers to include and execute arbitrary fil... • https://patchstack.com/database/wordpress/plugin/miniorange-login-openid/vulnerability/wordpress-wordpress-social-login-and-register-7-6-9-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27370
https://notcve.org/view.php?id=CVE-2025-27370
03 Mar 2025 — OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the private_key_jwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issuer identifiers of other Authorization Servers. The malicious Authorization Server could then use these private key JWTs to impersonate the Client. • https://openid.net/notice-of-a-security-vulnerability • CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31107 – WordPress OpenID plugin <= 3.6.1 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-31107
29 Mar 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DiSo Development Team OpenID allows Reflected XSS.This issue affects OpenID: from n/a through 3.6.1. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en DiSo Development Team OpenID permite el XSS reflejado. Este problema afecta a OpenID: desde n/a hasta 3.6.1. The OpenID plugin for WordPress is vulnerable to Reflected Cross-Site Scri... • https://patchstack.com/database/vulnerability/openid/wordpress-openid-plugin-3-6-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47683 – WordPress Social Login, Social Sharing by miniOrange plugin <= 7.6.6 - Authenticated Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2023-47683
09 Nov 2023 — Improper Privilege Management vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) allows Privilege Escalation.This issue affects WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn): from n/a through 7.6.6. Una vulnerabilidad de gestión de privilegios incorrecta en miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) permite la escalada de privilegios. Este problema afecta a miniOrange WordPress Social Login ... • https://patchstack.com/database/vulnerability/miniorange-login-openid/wordpress-social-login-social-sharing-by-miniorange-plugin-7-6-6-authenticated-privilege-escalation-vulnerability?_s_id=cve • CWE-269: Improper Privilege Management •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25455 – WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin <= 7.6.0 - Arbitrary Content Deletion vulnerability
https://notcve.org/view.php?id=CVE-2023-25455
13 Feb 2023 — Missing Authorization vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn): from n/a through 7.6.0. The WordPress Social Login and Register plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 7.6.0. This is due to a missing capability check on the 'mo_openid... • https://patchstack.com/database/wordpress/plugin/miniorange-login-openid/vulnerability/wordpress-wordpress-social-login-and-register-discord-google-twitter-linkedin-plugin-7-6-0-arbitrary-content-deletion-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24375 – WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin <= 7.5.14 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-24375
23 Sep 2022 — Missing Authorization vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn): from n/a through 7.5.14. The WordPress Social Login and Register plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the mo_sharing_app_value function as well as others that are re... • https://patchstack.com/database/wordpress/plugin/miniorange-login-openid/vulnerability/wordpress-wordpress-social-login-and-register-discord-google-twitter-linkedin-plugin-7-5-14-broken-access-control?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-26244 – Cryptographic issues in Python oic
https://notcve.org/view.php?id=CVE-2020-26244
02 Dec 2020 — Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1) The IdToken signature algorithm was not checked automatically, but only if the expected algorithm was passed in as a kwarg. 2) JWA `none` algorithm was allowed in all flows. 3) oic.consumer.Consumer.parse_authz returns an unverified IdToken. The verification of the token was left to the discretion of... • https://github.com/OpenIDC/pyoidc/commit/62f8d753fa17c8b1f29f8be639cf0b33afb02498 • CWE-325: Missing Cryptographic Step CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2019-11027 – Gentoo Linux Security Advisory 202003-09
https://notcve.org/view.php?id=CVE-2019-11027
10 Jun 2019 — Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable flaw. This library is used by Rails web applications to integrate with OpenID Providers. Severity can range from medium to critical, depending on how a web application developer chose to employ the ruby-openid library. Developers who based their OpenID integration heavily on the "example app" provided by the project are at highest risk. Ruby OpenID (conocido como ruby-openid) a través de la versión 2.8.0 tiene un defecto aprovechable rem... • https://github.com/openid/ruby-openid/issues/122 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9837
https://notcve.org/view.php?id=CVE-2019-9837
15 Mar 2019 — Doorkeeper::OpenidConnect (aka the OpenID Connect extension for Doorkeeper) 1.4.x and 1.5.x before 1.5.4 has an open redirect via the redirect_uri field in an OAuth authorization request (that results in an error response) with the 'openid' scope and a prompt=none value. This allows phishing attacks against the authorization flow. Doorkeeper::OpenidConnect (también conocido como extensión OpenID Connect para Doorkeeper) 1.4.x y 1.5.x anterior a la versión 1.5.4 tiene una redirección abierta mediante el camp... • https://github.com/doorkeeper-gem/doorkeeper-openid_connect/blob/master/CHANGELOG.md • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.9EPSS: 5%CPEs: 1EXPL: 1CVE-2008-3280 – OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH
https://notcve.org/view.php?id=CVE-2008-3280
08 Aug 2008 — It was found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166). In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and the fact that almost all SSL/TLS implementations do not consult CRLs (currently an untracked issue), this means that it is impossible to rely on these OPs. Se detectó que varios OpenID Providers (OP) tenían TLS Server Certificates que usaban claves débiles, como re... • https://www.exploit-db.com/exploits/5720 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •