CVE-2026-2418
Authentication Bypass in Login with Salesforce WordPress Plugin
Publication date: 2026-03-05
Last updated on: 2026-03-06
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2418 affects the WordPress plugin "Login with Salesforce" versions up to 1.0.2 and allows an unauthenticated authentication bypass.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the plugin fails to verify whether users are authorized to log in via Salesforce.'}, {'type': 'paragraph', 'content': "An attacker can authenticate as any user, including administrators, simply by knowing the target user's email address."}, {'type': 'paragraph', 'content': 'The attack works by sending a POST request to the vulnerable endpoint with parameters indicating a successful login status and a base64-encoded email address in the NameID field.'}, {'type': 'paragraph', 'content': 'If the email corresponds to an existing user, the plugin calls wp_set_auth_cookie(), effectively logging the attacker in as that user.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts because it allows an attacker to log in as any user without authentication.'}, {'type': 'paragraph', 'content': "If the attacker targets an administrator's email, they can gain full administrative access to the WordPress site."}, {'type': 'paragraph', 'content': 'Such unauthorized access can lead to data theft, site defacement, installation of malicious code, or complete takeover of the website.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to exploit the authentication bypass using a crafted POST request to the vulnerable endpoint of the Login with Salesforce plugin.'}, {'type': 'paragraph', 'content': 'Specifically, if the `mo_saml_customer_token` is empty (default state), an attacker can send a POST request with parameters indicating a successful login and a base64-encoded email address in the `NameID` field.'}, {'type': 'paragraph', 'content': 'If the email corresponds to an existing user, the plugin will authenticate the attacker as that user.'}, {'type': 'list_item', 'content': 'Use a command like the following curl request to test the vulnerability by attempting to log in as a known user (replace TARGET_URL and [email protected] accordingly):'}, {'type': 'list_item', 'content': 'curl -X POST TARGET_URL/wp-login.php?action=login_with_salesforce -d \'status=success&NameID=$(echo -n "[email protected]" | base64)\''}, {'type': 'paragraph', 'content': 'If the response indicates a successful login or sets authentication cookies, the system is vulnerable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Currently, there is no known fix for this vulnerability in the Login with Salesforce plugin versions up to 1.0.2.
Immediate mitigation steps include:
- Disable or deactivate the Login with Salesforce plugin until a patch or update is released.
- Restrict access to the WordPress login endpoint to trusted IP addresses or networks if possible.
- Monitor login activity for suspicious logins, especially those using Salesforce authentication.
- Consider implementing additional authentication layers such as two-factor authentication to reduce risk.