CVE-2026-15013
Received Received - Intake

Authentication Bypass via SAML Signature Confusion in WordPress SSO Plugin

Vulnerability report for CVE-2026-15013, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: Wordfence

Description

The SAML Single Sign On – SSO Login plugin for WordPress is vulnerable to Authentication Bypass via SAML Signature Algorithm Confusion in all versions up to, and including, 5.4.3. The vulnerability exists because `Mo_SAML_Utilities::mo_saml_cast_key()` reads the `SignatureMethod` Algorithm attribute directly from the attacker-controlled `SAMLResponse` parameter rather than enforcing the locally configured algorithm, causing the plugin to recast the IdP's RSA public key as an HMAC-SHA1 shared secret and validate the forged signature against it. This makes it possible for unauthenticated attackers to forge a SAML assertion targeting any WordPress account β€” including administrators β€” obtain valid WordPress authentication cookies, and achieve full administrator-level account takeover.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
miniorange saml_single_sign_on to 5.4.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an authentication bypass in the SAML Single Sign On – SSO Login WordPress plugin. It allows attackers to forge SAML assertions by manipulating the SignatureMethod algorithm. The plugin incorrectly uses an attacker-controlled value from the SAMLResponse instead of enforcing the configured algorithm, leading to key confusion where RSA public keys are treated as HMAC-SHA1 shared secrets. This enables unauthenticated attackers to impersonate any WordPress user, including administrators, and gain full account takeover.

Impact Analysis

If you use the vulnerable plugin, attackers can completely take over your WordPress site. They can log in as any user, including administrators, steal sensitive data, install malware, or deface your website. Since this requires no authentication, the risk is high for all users of the affected plugin versions.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating GDPR's data protection requirements and HIPAA's security rules. If exploited, it may result in data breaches, triggering mandatory breach notifications and potential fines under these regulations.

Mitigation Strategies

Update the SAML Single Sign On – SSO Login plugin to the latest version beyond 5.4.3 immediately. Disable the plugin temporarily if an update is not available. Review WordPress user accounts for unauthorized administrator access and revoke suspicious sessions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15013. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart