CVE-2025-7045
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-06

Last updated on: 2025-09-08

Assigner: Wordfence

Description
The Cloud SAML SSO plugin for WordPress is vulnerable to Identity Provider Deletion due to a missing capability check on the delete_config action of the csso_handle_actions() function in all versions up to, and including, 1.0.19. This makes it possible for unauthenticated attackers to delete any configured IdP, breaking the SSO authentication flow and causing a denial-of-service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-06
Last Modified
2025-09-08
Generated
2026-05-07
AI Q&A
2025-09-06
EPSS Evaluated
2026-05-05
NVD
CVE-2025-7045
EUVD
EUVD-2025-27129
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence cloud_sso_single_sign_on 1.0.19
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Cloud SAML SSO plugin for WordPress, where a missing capability check on the delete_config action allows unauthenticated attackers to delete any configured Identity Provider (IdP). This breaks the Single Sign-On (SSO) authentication flow and causes a denial-of-service.


How can this vulnerability impact me? :

An attacker can delete configured Identity Providers in the SAML SSO plugin without authentication, disrupting the SSO authentication process and causing denial-of-service, which can prevent legitimate users from accessing services relying on SSO.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart