CVE-2026-2628
Authentication Bypass in Microsoft 365 SSO Plugin for WordPress
Publication date: 2026-03-03
Last updated on: 2026-03-03
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cyberlord92 | login_with_azure | to 2.2.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress has an authentication bypass vulnerability in all versions up to and including 2.2.5.
This vulnerability allows unauthenticated attackers to bypass the normal login process and gain access by logging in as other users, including administrators.
How can this vulnerability impact me? :
Because attackers can bypass authentication and log in as any user, including administrators, this vulnerability can lead to full compromise of the affected WordPress site.
- Unauthorized access to sensitive data.
- Potential for attackers to modify site content or settings.
- Complete control over the site by malicious actors.
- Disruption of normal site operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress to a version later than 2.2.5 where the authentication bypass issue is fixed.