CVE Alert: CVE-2025-7040 - cloudinfrastructureservices - Cloud SAML SSO – Single Sign On Login

CVE-2025-7040

HIGHNo exploitation known

The Cloud SAML SSO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘set_organization_settings’ action of the csso_handle_actions() function in all versions up to, and including, 1.0.19. The handler reads client-supplied POST parameters for organization settings and passes them directly to update_option() without any check of the user’s capabilities or a CSRF nonce. This makes it possible for unauthenticated attackers to change critical configuration (including toggling signing and encryption), potentially breaking the SSO flow and causing a denial-of-service.

CVSS v3.1 (8.2)

Vendor

cloudinfrastructureservices

Product

Cloud SAML SSO – Single Sign On Login

Versions

* lte 1.0.19

CWE

CWE-862, CWE-862 Missing Authorization

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Published

2025-09-06T03:22:36.142Z

Updated

2025-09-06T03:22:36.142Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/59622166-3316-42e5-bf28-69eb38231755?source=cve

https://wordpress.org/plugins/cloud-sso-single-sign-on/#developers

https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/assets/base/CSSO_ActionHandler.php

https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/assets/base/CSSO_services.php

https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/assets/CSSO_Init.php

https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/tags/1.0.19/saml-sso-plugin.php

https://plugins.trac.wordpress.org/browser/cloud-sso-single-sign-on/trunk/assets/base/CSSO_ActionHandler.php?rev=3354459#L202

AI Summary Analysis

Risk verdict

Why this matters

Most likely attack path

Who is most exposed

Detection ideas

Unauthorised POSTs to set_organization_settings in the plugin’s action handler.
Unexpected changes to organization settings or SSO configuration (signing/encryption toggles) in wp_options or related logs.
Absence of CSRF nonce checks or capability validation in CSSO_ActionHandler.php.
Admin-ajax or plugin endpoints accessed without authenticated sessions.
Anomalous admin activity coinciding with config changes.

Mitigation and prioritisation

Apply the patched version (1.0.19) or newer; if unavailable, disable the plugin until fixed.
Enforce authentication and proper capability checks for set_organization_settings; add CSRF nonce validation.
Implement WAF/IPS rules to block unauthenticated attempts to invoke the action.
Audit and constrain admin-access to the WordPress instance; review and revert unintended config changes.
Schedule testing in staging, then controlled production rollout; update change-management tickets.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: cloud-saml-sso-single-sign-on-login, cloudinfrastructureservices, CVE, cve-2025-7040, OSINT, threatintel