Urgent Security update for OIDC plugin Wordpress
-
https://wordpress.org/plugins/daggerhart-openid-connect-generic/
Update 3.11.1
After manual update:OpenID Connect Generic - Security Configuration Required
Your OpenID Connect authentication is using an insecure fallback method. You must configure the JWKS endpoint in plugin settings as soon as possible. The current insecure fallback will be removed in version 3.12.0. After that update, authentication will fail until the JWKS endpoint is configured. Common JWKS endpoints: • Keycloak: https://your-domain/realms/your-realm/protocol/openid-connect/certs • Auth0: https://your-domain.auth0.com/.well-known/jwks.json • Okta: https://your-domain.okta.com/oauth2/default/v1/keys • Azure AD: https://login.microsoftonline.com/your-tenant/discovery/v2.0/keys • Google: https://www.googleapis.com/oauth2/v3/certsI tried to manually update within Wordpress Developer app but login got broken, had to restore.
3.11.0
SECURITY RELEASE
Security: Added JWT signature verification using JWKS to prevent token forgery
Security: Enhanced token claim validation (exp, aud, iss, iat, nonce)
Security: Replaced weak state generation with cryptographically secure random_bytes()
Security: Fixed open redirect vulnerability in authentication flow
Security: Restricted SSL verification bypass to local development environments only
Security: Added nonce protection to debug mode to prevent information disclosure
Security: Added SSRF protection by default through use of wp_safe_remote_* functions
Feature: Added JWKS endpoint configuration setting
Feature: Added OpenID Connect discovery document support
Feature: Added customizable login button text setting
Improvement: Migrated to Composer-managed dependencies
Fix: Corrected issuer validation to properly extract base URL from endpoints
Fix: Identity token timestamp tracking -
G girish moved this topic from Support
