{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7040", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-02T22:23:38.620Z", "datePublished": "2025-09-06T03:22:36.142Z", "dateUpdated": "2026-04-08T16:54:48.328Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:48.328Z"}, "affected": [{"vendor": "cloudinfrastructureservices", "product": "Cloud SAML SSO \u2013 Single Sign On Login", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.19", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Cloud SAML SSO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'set_organization_settings' action of the csso_handle_actions() function in all versions up to, and including, 1.0.19. The handler reads client-supplied POST parameters for organization settings and passes them directly to update_option() without any check of the user\u2019s capabilities or a CSRF nonce. This makes it possible for unauthenticated attackers to change critical configuration (including toggling signing and encryption), potentially breaking the SSO flow and causing a denial-of-service."}], "title": "Cloud SAML SSO <= 1.0.19 - Missing Authorization to Unauthenticated Settings Modification via set_organization_settings Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59622166-3316-42e5-bf28-69eb38231755?source=cve"}, {"url": "https://wordpress.org/plugins/cloud-sso-single-sign-on/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/assets/base/CSSO_ActionHandler.php"}, {"url": "https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/assets/base/CSSO_services.php"}, {"url": "https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/assets/CSSO_Init.php"}, {"url": "https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/saml-sso-plugin.php"}, {"url": "https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/trunk/assets/base/CSSO_ActionHandler.php?rev=3354459#L202"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "baseScore": 8.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "timeline": [{"time": "2025-07-03T11:19:56.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-05T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-08T20:18:10.674070Z", "id": "CVE-2025-7040", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-08T20:18:18.232Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7040", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-08T20:18:10.674070Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-08T20:18:14.939Z"}}], "cna": {"title": "Cloud SAML SSO <= 1.0.19 - Missing Authorization to Unauthenticated Settings Modification via set_organization_settings Action", "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L"}}], "affected": [{"vendor": "cloudinfrastructureservices", "product": "Cloud SAML SSO \u2013 Single Sign On Login", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.19"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-03T11:19:56.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-05T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59622166-3316-42e5-bf28-69eb38231755?source=cve"}, {"url": "https://wordpress.org/plugins/cloud-sso-single-sign-on/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/assets/base/CSSO_ActionHandler.php"}, {"url": "https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/assets/base/CSSO_services.php"}, {"url": "https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/assets/CSSO_Init.php"}, {"url": "https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/saml-sso-plugin.php"}, {"url": "https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/trunk/assets/base/CSSO_ActionHandler.php?rev=3354459#L202"}], "descriptions": [{"lang": "en", "value": "The Cloud SAML SSO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'set_organization_settings' action of the csso_handle_actions() function in all versions up to, and including, 1.0.19. The handler reads client-supplied POST parameters for organization settings and passes them directly to update_option() without any check of the user\u2019s capabilities or a CSRF nonce. This makes it possible for unauthenticated attackers to change critical configuration (including toggling signing and encryption), potentially breaking the SSO flow and causing a denial-of-service."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-09-06T03:22:36.142Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7040", "state": "PUBLISHED", "dateUpdated": "2025-09-08T20:18:18.232Z", "dateReserved": "2025-07-02T22:23:38.620Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-06T03:22:36.142Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Cloud SAML SSO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'set_organization_settings' action of the csso_handle_actions() function in all versions up to, and including, 1.0.19. The handler reads client-supplied POST parameters for organization settings and passes them directly to update_option() without any check of the user\u2019s capabilities or a CSRF nonce. This makes it possible for unauthenticated attackers to change critical configuration (including toggling signing and encryption), potentially breaking the SSO flow and causing a denial-of-service."}], "id": "CVE-2025-7040", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-06T04:16:02.867", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/assets/CSSO_Init.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/assets/base/CSSO_ActionHandler.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/assets/base/CSSO_services.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/saml-sso-plugin.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/trunk/assets/base/CSSO_ActionHandler.php?rev=3354459#L202"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/cloud-sso-single-sign-on/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59622166-3316-42e5-bf28-69eb38231755?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:13:00.570359+00:00", "value": {"mitigation_remediation": ["Upgrade the Cloud SAML SSO WordPress plugin to a version newer than 1.0.19, which includes the proper capability check on the set_organization_settings endpoint.", "If an upgrade is not immediately possible, modify the plugin\u2019s action handler to first verify that the current user has the \"manage_options\" capability before allowing organization settings to be updated; alternatively, remove the set_organization_settings endpoint entirely.", "Implement network or application\u2011level controls to block unauthenticated POST requests to the plugin\u2019s action URLs, such as protecting the administrative area with .htaccess or a firewall rule."], "summary": {"action": "Apply Patch", "impact": "Unauthorized configuration modification enabling denial of service"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed Cloud Infrastructure Services\u2019 Cloud SAML SSO \u2013 Single Sign On Login plugin, version 1.0.19 or earlier. All earlier releases share the same code path that performs the insecure update. The issue is not present in versions newer than 1.0.19, provided the vendor has addressed the capability check in the fix.", "description_and_impact": "The Cloud SAML SSO plugin for WordPress contains a missing capability check for the set_organization_settings action. The handler accepts client\u2011supplied POST parameters for organization settings and passes them directly to update_option() without validating the user\u2019s capabilities or including a CSRF nonce. This weakness allows an unauthenticated attacker to change critical SSO configuration, such as signing and encryption toggles, which can break the authentication flow and cause a denial\u2011of\u2011service. The flaw is a classic example of Missing Authorization (CWE\u2011862).", "risk_and_exploitability": "The vulnerability scores a 8.2 on the CVSS scale, indicating a high\u2011severity condition. The EPSS score is less than 1\u202f%, suggesting that exploitation is infrequent but possible. The vulnerability is not listed in the CISA KEV catalog. Because the action is reachable via an unauthenticated POST request that lacks a CSRF token, an attacker can trigger it solely by sending a crafted HTTP request to the plugin\u2019s endpoint. Successful exploitation results in unauthorized configuration changes that can compromise the integrity of the SSO flow and render user authentication ineffective, leading to a denial\u2011of\u2011service for legitimate users."}}}}, "created": "2025-09-08T15:17:42.125227+00:00", "updated": "2026-04-21T03:15:16.338018+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}