Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2418 affects the WordPress plugin "Login with Salesforce" versions up to 1.0.2 and allows an unauthenticated authentication bypass.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the plugin fails to verify whether users are authorized to log in via Salesforce.'}, {'type': 'paragraph', 'content': "An attacker can authenticate as any user, including administrators, simply by knowing the target user's email address."}, {'type': 'paragraph', 'content': 'The attack works by sending a POST request to the vulnerable endpoint with parameters indicating a successful login status and a base64-encoded email address in the NameID field.'}, {'type': 'paragraph', 'content': 'If the email corresponds to an existing user, the plugin calls wp_set_auth_cookie(), effectively logging the attacker in as that user.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts because it allows an attacker to log in as any user without authentication.'}, {'type': 'paragraph', 'content': "If the attacker targets an administrator's email, they can gain full administrative access to the WordPress site."}, {'type': 'paragraph', 'content': 'Such unauthorized access can lead to data theft, site defacement, installation of malicious code, or complete takeover of the website.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to exploit the authentication bypass using a crafted POST request to the vulnerable endpoint of the Login with Salesforce plugin.'}, {'type': 'paragraph', 'content': 'Specifically, if the `mo_saml_customer_token` is empty (default state), an attacker can send a POST request with parameters indicating a successful login and a base64-encoded email address in the `NameID` field.'}, {'type': 'paragraph', 'content': 'If the email corresponds to an existing user, the plugin will authenticate the attacker as that user.'}, {'type': 'list_item', 'content': 'Use a command like the following curl request to test the vulnerability by attempting to log in as a known user (replace TARGET_URL and [email protected] accordingly):'}, {'type': 'list_item', 'content': 'curl -X POST TARGET_URL/wp-login.php?action=login_with_salesforce -d \'status=success&NameID=$(echo -n "[email protected]" | base64)\''}, {'type': 'paragraph', 'content': 'If the response indicates a successful login or sets authentication cookies, the system is vulnerable.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Currently, there is no known fix for this vulnerability in the Login with Salesforce plugin versions up to 1.0.2.

Immediate mitigation steps include:

• Disable or deactivate the Login with Salesforce plugin until a patch or update is released.
• Restrict access to the WordPress login endpoint to trusted IP addresses or networks if possible.
• Monitor login activity for suspicious logins, especially those using Salesforce authentication.
• Consider implementing additional authentication layers such as two-factor authentication to reduce risk.

Useful 0 Not Useful 0