<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>SAML Single Sign on – SSO Login Plugin for WordPress (&lt;= 5.4.3) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/saml-single-sign-on--sso-login-plugin-for-wordpress--5.4.3/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 05:17:59 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/saml-single-sign-on--sso-login-plugin-for-wordpress--5.4.3/feed.xml" rel="self" type="application/rss+xml"/><item><title>Authentication Bypass in miniOrange SAML SSO Login Plugin for WordPress (CVE-2026-15013)</title><link>https://feed.craftedsignal.io/briefs/2026-07-wordpress-saml-sso-bypass/</link><pubDate>Thu, 16 Jul 2026 05:17:59 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-wordpress-saml-sso-bypass/</guid><description>A critical authentication bypass vulnerability (CVE-2026-15013) exists in the SAML Single Sign On - SSO Login plugin for WordPress, affecting all versions up to and including 5.4.3, enabling unauthenticated attackers to forge SAML assertions and achieve full administrator-level account takeover due to signature algorithm confusion.</description><content:encoded><![CDATA[<p>A critical authentication bypass vulnerability (CVE-2026-15013) exists in the SAML Single Sign On - SSO Login plugin for WordPress, affecting all versions up to and including 5.4.3. The flaw stems from the plugin's <code>Mo_SAML_Utilities::mo_saml_cast_key()</code> function, which incorrectly reads the <code>SignatureMethod</code> Algorithm attribute directly from an attacker-controlled <code>SAMLResponse</code> parameter. This misconfiguration allows the plugin to be tricked into recasting the Identity Provider's RSA public key as an HMAC-SHA1 shared secret. Consequently, unauthenticated attackers can forge SAML assertions. Successful exploitation leads to the issuance of valid WordPress authentication cookies, enabling complete administrator-level account takeover. This vulnerability poses a significant risk to the integrity and confidentiality of affected WordPress installations, potentially allowing full control over the website and its data.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a WordPress instance running the vulnerable SAML Single Sign On - SSO Login plugin.</li>
<li>Attacker crafts a malicious SAML assertion targeting an administrative user account.</li>
<li>The crafted assertion includes a manipulated <code>SignatureMethod</code> Algorithm attribute, specifying an HMAC-SHA1 signature method.</li>
<li>Attacker signs the crafted assertion using a forged HMAC-SHA1 signature.</li>
<li>The forged SAML assertion is sent via HTTP POST request to the vulnerable WordPress site's SAML endpoint.</li>
<li>The <code>Mo_SAML_Utilities::mo_saml_cast_key()</code> function in the plugin processes the <code>SAMLResponse</code>.</li>
<li>The plugin incorrectly reads the attacker-controlled <code>SignatureMethod</code> (HMAC-SHA1) from the <code>SAMLResponse</code> instead of enforcing the configured RSA algorithm.</li>
<li>The plugin attempts to validate the signature by recasting the legitimate Identity Provider's RSA public key as an HMAC-SHA1 shared secret, leading to successful validation of the attacker's forged signature and granting authentication as the targeted user, even an administrator.</li>
<li>Attacker obtains valid WordPress authentication cookies, achieving full administrator-level account takeover.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-15013 grants unauthenticated attackers complete administrative control over the affected WordPress website. This allows for full account takeover of any user, including administrators, leading to potential data exfiltration, website defacement, arbitrary code execution via plugin/theme upload, or further compromise of the underlying server. Organizations using the affected plugin face severe risks to data integrity, confidentiality, and availability, potentially leading to significant operational disruption and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-15013 immediately by updating the miniOrange SAML Single Sign On - SSO Login plugin for WordPress to a version beyond 5.4.3.</li>
<li>Monitor web server logs for suspicious HTTP POST requests to your WordPress SAML SSO endpoint, especially those containing unusually large <code>SAMLResponse</code> payloads or unexpected <code>SignatureMethod</code> values.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>wordpress</category><category>authentication-bypass</category><category>saml</category><category>cve</category></item></channel></rss>