QwikSec

Security Database

CVE

CWE

Training

CVE-2025-7045

Published: Sep 6, 2025

Modified: Apr 8, 2026

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

The Cloud SAML SSO plugin for WordPress is vulnerable to Identity Provider Deletion due to a missing capability check on the delete_config action of the csso_handle_actions() function in all versions up to, and including, 1.0.19. This makes it possible for unauthenticated attackers to delete any configured IdP, breaking the SSO authentication flow and causing a denial-of-service.

Vendor	Product	Versions
cloudinfrastructureservices	Cloud SAML SSO – Single Sign On Login	affected `0 - <= 1.0.19`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/87099513-d8e2-45e5-b7e6-b46558a10d3b?source=cve

https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/saml-sso-plugin.php

https://wordpress.org/plugins/cloud-sso-single-sign-on/#developers

https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/assets/CSSO_Init.php

https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/assets/base/CSSO_ActionHandler.php

https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/trunk/assets/base/CSSO_ActionHandler.php?rev=3354459#L130

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.