Critical WordPress SSO flaw
A critical authentication‑bypass vulnerability (CVE‑2026‑2628) was disclosed in a WordPress Entra ID/Azure AD SSO plugin with a published root cause, proof‑of‑concept, patch analysis and mitigations. The disclosure highlights immediate patching and mitigation needs for sites using cloud‑integrated SSO. (x.com)
A flaw in a WordPress single sign-on plugin let attackers log in as any user, including administrators, without valid Microsoft credentials. (nvd.nist.gov) The bug, tracked as CVE-2026-2628, affects All-in-One Microsoft 365 & Entra ID / Azure AD Single Sign-On Login through version 2.2.5 and carries a CVSS 3.1 score of 9.8. The National Vulnerability Database says unauthenticated attackers could bypass authentication and sign in as other users. (nvd.nist.gov) Single sign-on lets a site trust another company’s login system instead of storing a separate password. In this case, the plugin connected WordPress to Microsoft Entra ID, formerly called Azure Active Directory, so users could sign in with a Microsoft identity. (yeswehack.com) That trust depends on checking a signed identity token, which works like a stamped badge proving who the user is. YesWeHack said the plugin skipped key identity-token validation, including signature verification, so a crafted request could be accepted as a real login. (yeswehack.com) YesWeHack published its root-cause analysis on April 10, 2026 and said exploitation was “trivial” once the callback logic was understood. The write-up said the vulnerable code could allow full website compromise if an attacker chose an administrator account. (yeswehack.com) The patch landed in version 2.2.6, and Patchstack and YesWeHack both said site owners should update immediately. Patchstack said it also shipped a mitigation rule for customers who could not patch at once. (patchstack.com, yeswehack.com) Detection may be difficult after the fact. YesWeHack said successful abuse could look like a normal administrator single sign-on event, leaving few traces beyond what appears to be a legitimate login. (yeswehack.com) The plugin’s public install base is not huge, but it is exposed on live sites. YesWeHack cited more than 600 active installations on WordPress.org and said Shodan and Censys searches still showed dozens of vulnerable instances. (yeswehack.com) The immediate fix is narrow and simple: update Login with Azure to 2.2.6 or later, then review recent administrator logins and session activity. For sites that hand WordPress authentication to cloud identity systems, this bug turned a trust shortcut into a direct path past the login screen. (patchstack.com, yeswehack.com)
