Critical WordPress SSO flaw

A flaw in a WordPress login plugin let attackers forge a Microsoft sign-in and enter sites as any user, including administrators. (yeswehack.com) The bug is tracked as CVE-2026-2628 and affects All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login, also called Login with Azure, in versions through 2.2.5. The National Vulnerability Database says the issue allows unauthenticated attackers to bypass authentication and log in as other users, including administrators. (nvd.nist.gov) Single sign-on means a site trusts another service to vouch for a user’s identity, the way a venue trusts a stamped wristband instead of checking identification twice. This plugin lets WordPress trust Microsoft Entra ID, formerly Azure Active Directory, for that handoff. (wordpress.org) In OpenID Connect, the system is supposed to verify the identity token before it logs anyone in, the way a cashier checks whether a bill is real instead of just reading the printed amount. YesWeHack said the plugin skipped that signature check, which let an attacker send a crafted request to the login callback and impersonate arbitrary WordPress accounts. (yeswehack.com) YesWeHack said the root cause was missing identity-token validation and specifically missing signature verification against the identity provider’s public keys. It also said confusion between allowed OpenID Connect flows made internet exploitation “trivially exploitable,” while log records could look like a normal administrator single sign-on session. (yeswehack.com) The severity score attached to the disclosure is 9.8 out of 10 under Common Vulnerability Scoring System version 3.1, with Wordfence listed by the National Vulnerability Database as the source of that score. The weakness is classified as CWE-288, or authentication bypass using an alternate path or channel. (nvd.nist.gov) The patch landed in version 2.2.6, and the plugin listing now shows version 2.2.7 available for download. YesWeHack said site operators should update immediately, and WordPress.org’s public listing says the plugin has more than 600 active installations. (yeswehack.com) (de.wordpress.org) The public write-up arrived on April 10, 2026, more than a month after the Common Vulnerabilities and Exposures record was published on March 2, 2026. GitHub’s advisory entry also shows the issue was published there on March 2, 2026. (yeswehack.com) (github.com) For WordPress administrators, the immediate check is simple: if Login with Azure is installed and the version is 2.2.5 or older, the site is exposed to a login bypass that can end in full site takeover. The fix is to move off those versions before a forged sign-in becomes an administrator session. (nvd.nist.gov) (yeswehack.com)