The plugin was affected by an Auth Bypass vulnerability. The plugin leaks its OAuth client_secret, which could be used by attackers to gain unauthorized access to the site. Depending on the settings of the OAuth server, we may even be given an administrator role on the client’s website.

Proof of Concept

When we click the “Single Sign On” button, the plugin redirects us to the OAuth server to authenticate ourselves if we are not logged in.

The button invokes the following URL:

https://lana.solutions/vdb/dash10-digital-oauth-client/?auth=sso

The client plugin redirects us to the following URL:

https://lana.solutions/vdb/dash10-digital-oauth-server/?oauth=authorize&response_type=code&client_id=A7h8AfabvPH462WLGbcD6Ljb8IOE2tR9uDJva2TW&client_secret=ufMq5A63dGKOxW335SXyQKCNcumxZ2ZILnFk1Mil&redirect_uri=https%3A%2F%2Flana.solutions%2Fvdb%2Foauth-client%2F%3Fauth%3Dsso&state=https%3A%2F%2Flana.solutions%2Fvdb%2Foauth-client

The URL contains the client_secret code that can be used to request an access token with client credentials grant type authentication.

Exploit script: https://gist.github.com/lana-codes/d5c9c3a79ae50d742df719bf20d9d0ea