CVE-2026-7617 - Vulnerability Details

The Secufor_OAuth plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to disconnect the WordPress site from its linked Secufor account by clearing the plugin's stored login token and user login configuration.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wpoauth/tags/1.0.7/secuforoauth_login.php#L212
https://plugins.trac.wordpress.org/browser/wpoauth/tags/1.0.7/secuforoauth_login.php#L220
https://plugins.trac.wordpress.org/browser/wpoauth/trunk/secuforoauth_login.php#L212
https://plugins.trac.wordpress.org/browser/wpoauth/trunk/secuforoauth_login.php#L220
https://www.wordfence.com/threat-intel/vulnerabilities/id/61293c20-cabe-412d-94d1-1d0326d35a46?source=cve

History

Wed, 24 Jun 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		The Secufor_OAuth plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to disconnect the WordPress site from its linked Secufor account by clearing the plugin's stored login token and user login configuration.
Title		Secufor_OAuth <= 1.0.7 - Missing Authorization to Unauthenticated Account Logout via 'secuforoauth_unregister_action' AJAX Action
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/wpoauth/tags/1.0.7/secuforoauth_login.php#L212 https://plugins.trac.wordpress.org/browser/wpoauth/tags/1.0.7/secuforoauth_login.php#L220 https://plugins.trac.wordpress.org/browser/wpoauth/trunk/secuforoauth_login.php#L212 https://plugins.trac.wordpress.org/browser/wpoauth/trunk/secuforoauth_login.php#L220 https://www.wordfence.com/threat-intel/vulnerabilities/id/61293c20-cabe-412d-94d1-1d0326d35a46?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-24T05:33:25.583Z

Updated: 2026-06-24T05:33:25.583Z

Reserved: 2026-05-01T13:15:23.874Z

Link: CVE-2026-7617

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T10:00:05Z

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object