Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

MiniOrange — Vulnerabilities & Security Advisories 29

Browse all 29 CVE security advisories affecting MiniOrange. AI-powered Chinese analysis, POCs, and references for each vulnerability.

miniOrange primarily provides identity and access management solutions, specializing in single sign-on (SSO), multi-factor authentication (MFA), and directory synchronization for enterprise environments. Security audits have identified twenty-nine distinct Common Vulnerabilities and Exposures (CVEs) associated with its software suite, revealing a pattern of critical flaws. These vulnerabilities predominantly involve remote code execution (RCE) and cross-site scripting (XSS), allowing attackers to compromise system integrity or steal user credentials. Additionally, several instances of broken access control and privilege escalation have been documented, enabling unauthorized users to gain administrative rights. The high volume of historical CVEs suggests significant challenges in maintaining secure codebases across its diverse product offerings. While the company actively issues patches, the recurring nature of these critical flaws indicates persistent risks for organizations relying on its authentication infrastructure without rigorous security monitoring and immediate updates.

Top products by MiniOrange: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) Custom API for WP WordPress Social Login and Register Malware Scanner miniOrange's Google Authenticator Prevent files / folders access Password Policy Manager miniOrange Discord Integration WordPress REST API Authentication miniorange otp verification SAML SP Single Sign On YourMembership Single Sign On miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login YourMembership Single Sign On – YM SSO Login OAuth Single Sign On – SSO (OAuth Client) LDAP Integration with Active Directory and OpenLDAP - NTLM & Kerberos Login OAuth Single Sign On Free WordPress REST API Authentication (WordPress plugin) miniOrange WordPress SAML SSO Standard miniOrange's Google Authenticator (WordPress plugin) OAuth 2.0 client for SSO (WordPress plugin) WP OAuth Server (WordPress plugin)
CVE IDTitleCVSSSeverityPublished
CVE-2025-68974 WordPress WordPress Social Login and Register plugin <= 7.7.0 - Local File Inclusion vulnerability — WordPress Social Login and RegisterCWE-98 6.6 Medium2025-12-30
CVE-2025-54745 WordPress miniOrange's Google Authenticator Plugin <= 6.1.1 - Broken Access Control Vulnerability — miniOrange's Google AuthenticatorCWE-862 6.5 Medium2025-12-18
CVE-2025-53561 WordPress Prevent files / folders access Plugin <= 2.6.0 - Path Traversal Vulnerability — Prevent files / folders accessCWE-35 6.5 Medium2025-08-20
CVE-2025-54048 WordPress Custom API for WP <= 4.2.2 - SQL Injection Vulnerability — Custom API for WPCWE-89 9.3 Critical2025-08-20
CVE-2025-54049 WordPress Custom API for WP <= 4.2.2 - Privilege Escalation Vulnerability — Custom API for WPCWE-266 9.9 Critical2025-08-20
CVE-2025-31019 WordPress Password Policy Manager plugin <= 2.0.4 - Account Takeover vulnerability — Password Policy ManagerCWE-288 8.8 High2025-06-09
CVE-2025-47670 WordPress Social Login and Register plugin <= 7.6.10 - Local File Inclusion Vulnerability — WordPress Social Login and RegisterCWE-98 8.1 High2025-05-23
CVE-2025-47672 WordPress miniOrange Discord Integration plugin <= 2.2.2 - Local File Inclusion Vulnerability — miniOrange Discord IntegrationCWE-98 8.1 High2025-05-23
CVE-2025-39545 WordPress REST API Authentication plugin <= 3.6.3 - Settings Change Vulnerability — WordPress REST API AuthenticationCWE-862 5.4 Medium2025-04-16
CVE-2023-41873 WordPress SAML Single Sign On – SSO Login plugin <= 5.0.4 - Broken Access Control vulnerability — SAML SP Single Sign OnCWE-862 4.3 Medium2024-12-13
CVE-2023-37987 WordPress YourMembership Single Sign On plugin <= 1.1.3 - Broken Access Control vulnerability — YourMembership Single Sign OnCWE-862 6.5 Medium2024-12-13
CVE-2023-24375 WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin <= 7.5.14 - Broken Access Control vulnerability — WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)CWE-862 3.5 Low2024-12-09
CVE-2023-25455 WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin <= 7.6.0 - Arbitrary Content Deletion vulnerability — WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)CWE-862 5.3 Medium2024-12-09
CVE-2023-47776 WordPress miniorange otp verification plugin <= 4.2.1 - Broken Access Control vulnerability — miniorange otp verificationCWE-862 4.3 Medium2024-12-09
CVE-2023-52176 WordPress Malware Scanner plugin <= 4.7.1 - IP Restriction Bypass vulnerability — Malware ScannerCWE-290 5.3 Medium2024-06-04
CVE-2023-47683 WordPress Social Login, Social Sharing by miniOrange plugin <= 7.6.6 - Authenticated Privilege Escalation vulnerability — WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)CWE-269 8.0 High2024-05-17
CVE-2024-25902 WordPress Malware Scanner Plugin <= 4.7.2 is vulnerable to SQL Injection — Malware ScannerCWE-89 7.6 High2024-02-28
CVE-2022-44589 WordPress miniOrange's Google Authenticator Plugin <= 5.6.1 is vulnerable to Sensitive Data Exposure — miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless loginCWE-200 8.1 High2023-12-29
CVE-2023-37986 WordPress YourMembership Single Sign On Plugin <= 1.1.3 is vulnerable to Cross Site Scripting (XSS) — YourMembership Single Sign On – YM SSO LoginCWE-79 5.9 Medium2023-09-01
CVE-2022-34155 WordPress OAuth Single Sign On – SSO (OAuth Client) Plugin <= 6.23.3 is vulnerable to Broken Authentication — OAuth Single Sign On – SSO (OAuth Client)CWE-287 8.8 High2023-07-18
CVE-2023-23706 WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) Plugin <= 7.5.14 is vulnerable to Cross Site Request Forgery (CSRF) — WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)CWE-352 4.3 Medium2023-05-23
CVE-2023-23710 WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin <= 7.5.14 is vulnerable to Cross Site Scripting (XSS) — WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)CWE-79 5.9 Medium2023-04-25
CVE-2023-1092 OAuth Single Sign On - SSO (OAuth Client) - IdP Deletion via CSRF — OAuth Single Sign On Free 6.5 -2023-03-27
CVE-2022-4496 miniOrange WordPress SAML SSO multiple versions - Open Redirect in SSO login — miniOrange WordPress SAML SSO Standard 6.1 -2023-01-30
CVE-2023-23749 Extension - miniorange - LDAP Integration - LDAP Injection (username) — LDAP Integration with Active Directory and OpenLDAP - NTLM & Kerberos Login 7.5 -2023-01-17
CVE-2022-45073 WordPress REST API Authentication plugin <= 2.4.0 - Cross-Site Request Forgery (CSRF) vulnerability — WordPress REST API Authentication (WordPress plugin)CWE-352 5.4 Medium2022-11-18
CVE-2022-42461 WordPress miniOrange's Google Authenticator plugin <= 5.6.1 - Broken Access Control vulnerability — miniOrange's Google Authenticator (WordPress plugin)CWE-264 5.4 Medium2022-11-18
CVE-2022-34149 WordPress WP OAuth Server plugin <= 3.0.4 - Authentication Bypass vulnerability — WP OAuth Server (WordPress plugin)CWE-264 9.8 Critical2022-08-22
CVE-2022-34858 WordPress OAuth 2.0 client for SSO plugin <= 1.11.3 - Authentication Bypass vulnerability — OAuth 2.0 client for SSO (WordPress plugin)CWE-306 9.8 Critical2022-08-22

This page lists every published CVE security advisory associated with MiniOrange. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.