CVE-2022-3926

MEDIUM

WP OAuth Server < 3.4.2 - Cross-Site Request Forgery via Secret Regeneration

Title source: llm
STIX 2.1

Description

The WP OAuth Server (OAuth Authentication) WordPress plugin before 3.4.2 does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client ID

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/e1fcde2a-91a5-40cb-876b-884f01c80336

Scores

CVSS v3 6.5
EPSS 0.0033
EPSS Percentile 24.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (1)
wp-oauth/wp_oauth_server < 3.4.2
Published Dec 05, 2022
Tracked Since Feb 18, 2026