Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Remote unauthenticated attacker (PR:N/UI:N) exploits algorithm confusion with only public-certificate knowledge (AC:L), yielding full admin takeover (C:H/I:H/A:H).
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
The SAML Single Sign On - SSO Login plugin for WordPress is vulnerable to Authentication Bypass via SAML Signature Algorithm Confusion in all versions up to, and including, 5.4.3. The vulnerability exists because Mo_SAML_Utilities::mo_saml_cast_key() reads the SignatureMethod Algorithm attribute directly from the attacker-controlled SAMLResponse parameter rather than enforcing the locally configured algorithm, causing the plugin to recast the IdP's RSA public key as an HMAC-SHA1 shared secret and validate the forged signature against it. This makes it possible for unauthenticated attackers to forge a SAML assertion targeting any WordPress account - including administrators - obtain valid WordPress authentication cookies, and achieve full administrator-level account takeover.
Articles & Coverage 1
AnalysisAI
Authentication bypass in the miniOrange SAML Single Sign On - SSO Login plugin for WordPress (all versions through 5.4.3) lets unauthenticated attackers forge SAML assertions and seize any account, including administrator. The plugin trusts the SignatureMethod algorithm declared inside the attacker-supplied SAMLResponse, enabling an RSA-to-HMAC signature confusion attack that yields valid WordPress auth cookies and full admin takeover. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the miniOrange SAML SSO plugin (≤5.4.3) is installed and active as a SAML Service Provider on the target WordPress site, and that the attacker knows the IdP's public signing certificate - which is normally published in SAML metadata and therefore not a meaningful secret. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine top-priority issue, not an inflated high-CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains the target site's IdP public signing certificate (routinely exposed in SP/IdP metadata), crafts a SAML assertion naming the site administrator, and signs it with HMAC-SHA1 using the public key bytes as the secret while setting the SignatureMethod algorithm to HMAC-SHA1 in the SAMLResponse. They POST the forged response to the plugin's ACS endpoint unauthenticated; the plugin recasts the RSA key as an HMAC secret, validates the forged signature, and issues valid WordPress admin cookies. … |
| Remediation | Upstream fix available (changeset 3601345 in the WordPress plugin repository, https://plugins.trac.wordpress.org/changeset?old=3601345%40miniorange-saml-20-single-sign-on&new=3601345%40miniorange-saml-20-single-sign-on); a specific released patched version is not independently confirmed from the provided data, so upgrade to the latest available version of the plugin (any release beyond 5.4.3) as the primary fix and verify against the Wordfence advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all WordPress instances using the miniOrange SAML SSO plugin and confirm deployment of affected versions (5.4.3 and earlier). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Jwt Attack
View allWhy is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27
A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote
Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44866
GHSA-p847-q8vx-c3fg