Urgent Security update for OIDC plugin Wordpress
-
https://wordpress.org/plugins/daggerhart-openid-connect-generic/
Update 3.11.1
After manual update:OpenID Connect Generic - Security Configuration Required
Your OpenID Connect authentication is using an insecure fallback method. You must configure the JWKS endpoint in plugin settings as soon as possible. The current insecure fallback will be removed in version 3.12.0. After that update, authentication will fail until the JWKS endpoint is configured. Common JWKS endpoints: • Keycloak: https://your-domain/realms/your-realm/protocol/openid-connect/certs • Auth0: https://your-domain.auth0.com/.well-known/jwks.json • Okta: https://your-domain.okta.com/oauth2/default/v1/keys • Azure AD: https://login.microsoftonline.com/your-tenant/discovery/v2.0/keys • Google: https://www.googleapis.com/oauth2/v3/certsI tried to manually update within Wordpress Developer app but login got broken, had to restore.
3.11.0
SECURITY RELEASE
Security: Added JWT signature verification using JWKS to prevent token forgery
Security: Enhanced token claim validation (exp, aud, iss, iat, nonce)
Security: Replaced weak state generation with cryptographically secure random_bytes()
Security: Fixed open redirect vulnerability in authentication flow
Security: Restricted SSL verification bypass to local development environments only
Security: Added nonce protection to debug mode to prevent information disclosure
Security: Added SSRF protection by default through use of wp_safe_remote_* functions
Feature: Added JWKS endpoint configuration setting
Feature: Added OpenID Connect discovery document support
Feature: Added customizable login button text setting
Improvement: Migrated to Composer-managed dependencies
Fix: Corrected issuer validation to properly extract base URL from endpoints
Fix: Identity token timestamp tracking -
G girish moved this topic from Support on
-
The plugin has also started requiring the 'alg' param in JWKS keys. The field is optional (https://datatracker.ietf.org/doc/html/rfc7517#section-4.4) , but I have added it to our oidcserver now.
-
Looks like just a short bit ago version 3.11.3 is out now.
https://github.com/oidc-wp/openid-connect-generic/issues/633#issuecomment-3894814402
I've released 3.11.3 which provides a setting for the issuer url. This seems like the the most reliable way to ensure each site can adjust depending on their IDP.
-
There's quite a bit of changes needed: the plugin has also moved to composer, we need a new platform release to adjust for the JWKS key handling, some changes to the package to whitelist the cloudron OIDC server since it appears WP is blocking it etc.
I think if someone is waiting for this, this will take a while. Best to not update the plugin (or if you already updated, you should roll back somehow).
-
@girish could you please explain? is a broken 3.11.3 more insecure than an insecure older version? Wouldn't it be better to switch to app based authorisation meanwhile and deactivate the plugin?
(Ask me about B2B marketing automation & low code business solutions, if thats interesting for you.)
-
@girish could you please explain? is a broken 3.11.3 more insecure than an insecure older version? Wouldn't it be better to switch to app based authorisation meanwhile and deactivate the plugin?
@dsp76 said in Urgent Security update for OIDC plugin Wordpress:
switch to app based authorisation meanwhile and deactivate the plugin?
That's what I just did. I knew OIDC is more trouble than its worth. BTW, cloning the app won't work. Install a new WP managed app, then import a backup if you decide to go that route.
-
G girish marked this topic as a regular topic on
-
Yes tried manually on 2 sites and it’s working!
Thanks for the effort and results
-
@dsp76 With the latest developer packages + OIDC plugin 3.11.3 , it should work .
@d19dotca https://forum.cloudron.io/topic/2586/wordpress-developer-package-updates/88 is the package release .
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login