Serious security flaw — tokens remain valid after logout

I tested WP OAuth Server (OAuth Authentication) in integration with a client application and found a serious issue: even after the user logs out from WordPress, the issued access token is still accepted by the /oauth/me endpoint, returning all user data.

This means any client application that has stored the token can continue accessing private information indefinitely, until the token expires, without verifying if the session on the server has ended.

I tried to work around the issue by enabling the introspection endpoint and validating the token on each request, but the plugin does not revoke the token on logout, making introspection ineffective for detecting logouts.

This flaw breaks a basic security principle of OAuth 2.0 and may expose sensitive data. I do not recommend using this plugin until token revocation upon logout is implemented.