CVE-2025-7045
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-06

Last updated on: 2025-09-08

Assigner: Wordfence

Description
The Cloud SAML SSO plugin for WordPress is vulnerable to Identity Provider Deletion due to a missing capability check on the delete_config action of the csso_handle_actions() function in all versions up to, and including, 1.0.19. This makes it possible for unauthenticated attackers to delete any configured IdP, breaking the SSO authentication flow and causing a denial-of-service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-06
Last Modified
2025-09-08
Generated
2026-06-16
AI Q&A
2025-09-06
EPSS Evaluated
2026-06-14
NVD
CVE-2025-7045
EUVD
EUVD-2025-27129
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence cloud_sso_single_sign_on 1.0.19
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Cloud SAML SSO plugin for WordPress, where a missing capability check on the delete_config action allows unauthenticated attackers to delete any configured Identity Provider (IdP). This breaks the Single Sign-On (SSO) authentication flow and causes a denial-of-service.

Impact Analysis

An attacker can delete configured Identity Providers in the SAML SSO plugin without authentication, disrupting the SSO authentication process and causing denial-of-service, which can prevent legitimate users from accessing services relying on SSO.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-7045. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart