Skip to main content

miniOrange SAML SSO EUVDEUVD-2026-44866

| CVE-2026-15013 CRITICAL
Improper Verification of Cryptographic Signature (CWE-347)
2026-07-16 Wordfence GHSA-p847-q8vx-c3fg
9.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Remote unauthenticated attacker (PR:N/UI:N) exploits algorithm confusion with only public-certificate knowledge (AC:L), yielding full admin takeover (C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 04:47 vuln.today
CVE Published
Jul 16, 2026 - 03:44 cve.org
CRITICAL 9.8

DescriptionCVE.org

The SAML Single Sign On - SSO Login plugin for WordPress is vulnerable to Authentication Bypass via SAML Signature Algorithm Confusion in all versions up to, and including, 5.4.3. The vulnerability exists because Mo_SAML_Utilities::mo_saml_cast_key() reads the SignatureMethod Algorithm attribute directly from the attacker-controlled SAMLResponse parameter rather than enforcing the locally configured algorithm, causing the plugin to recast the IdP's RSA public key as an HMAC-SHA1 shared secret and validate the forged signature against it. This makes it possible for unauthenticated attackers to forge a SAML assertion targeting any WordPress account - including administrators - obtain valid WordPress authentication cookies, and achieve full administrator-level account takeover.

AnalysisAI

Authentication bypass in the miniOrange SAML Single Sign On - SSO Login plugin for WordPress (all versions through 5.4.3) lets unauthenticated attackers forge SAML assertions and seize any account, including administrator. The plugin trusts the SignatureMethod algorithm declared inside the attacker-supplied SAMLResponse, enabling an RSA-to-HMAC signature confusion attack that yields valid WordPress auth cookies and full admin takeover. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Retrieve IdP public certificate from SAML metadata
Delivery
Craft forged assertion for admin account
Exploit
Set SignatureMethod to HMAC-SHA1, sign with public key
Install
POST SAMLResponse to plugin ACS endpoint
C2
Plugin recasts RSA key as HMAC secret and validates
Execute
Receive valid WordPress admin cookies
Impact
Full administrator account takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the miniOrange SAML SSO plugin (≤5.4.3) is installed and active as a SAML Service Provider on the target WordPress site, and that the attacker knows the IdP's public signing certificate - which is normally published in SAML metadata and therefore not a meaningful secret. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine top-priority issue, not an inflated high-CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains the target site's IdP public signing certificate (routinely exposed in SP/IdP metadata), crafts a SAML assertion naming the site administrator, and signs it with HMAC-SHA1 using the public key bytes as the secret while setting the SignatureMethod algorithm to HMAC-SHA1 in the SAMLResponse. They POST the forged response to the plugin's ACS endpoint unauthenticated; the plugin recasts the RSA key as an HMAC secret, validates the forged signature, and issues valid WordPress admin cookies. …
Remediation Upstream fix available (changeset 3601345 in the WordPress plugin repository, https://plugins.trac.wordpress.org/changeset?old=3601345%40miniorange-saml-20-single-sign-on&new=3601345%40miniorange-saml-20-single-sign-on); a specific released patched version is not independently confirmed from the provided data, so upgrade to the latest available version of the plugin (any release beyond 5.4.3) as the primary fix and verify against the Wordfence advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all WordPress instances using the miniOrange SAML SSO plugin and confirm deployment of affected versions (5.4.3 and earlier). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Share

EUVD-2026-44866 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy