CVE-2026-12281
Received Received - Intake

Shibboleth Plugin Authentication Bypass via Spoofed Headers

Vulnerability report for CVE-2026-12281, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: WPScan

Description

The Shibboleth WordPress plugin before 2.5.4 does not fail closed when its HTTP header identity mode is enabled without an anti-spoofing key, treating any request that carries identity headers as an authenticated session without verifying them. On a deployment where untrusted client headers reach the application, an unauthenticated attacker can log in with forged identity headers and, when automatic account creation and the default administrator role mapping are enabled, create and sign in as a new administrator. Exploitation requires the non-default HTTP header attribute mode, an empty or absent spoof key, automatic account creation enabled, and a deployment that does not strip untrusted client headers before they reach the application.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

Check if the Shibboleth WordPress plugin version is below 2.5.4. Inspect server logs for unusual administrator account creation events or forged identity headers. Verify if HTTP header identity mode is enabled without an anti-spoofing key.

Mitigation Strategies

Update the Shibboleth plugin to version 2.5.4 or later. Ensure an anti-spoofing key is configured if using HTTP header identity mode. Disable automatic account creation and review administrator role mappings.

Executive Summary

The Shibboleth WordPress plugin before version 2.5.4 has an authentication bypass vulnerability. When HTTP header identity mode is enabled without an anti-spoofing key, the plugin fails to verify identity headers. This allows unauthenticated attackers to forge headers and log in as administrators if automatic account creation and default role mapping are enabled.

Impact Analysis

An attacker could create a new administrator account and gain full control of the WordPress site. This could lead to website defacement, data theft, malware distribution, or complete takeover of the site and its users.

Compliance Impact

This vulnerability could lead to unauthorized access and data breaches, violating GDPR and HIPAA requirements for access control and data protection. Organizations may face fines and legal consequences for non-compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12281. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart