Horizon Alert
Summary of the vulnerability and why it matters
A critical security flaw has been identified in a widely used WordPress plugin that facilitates Single Sign-On (SSO) authentication. This vulnerability could allow unauthenticated attackers to bypass security measures, potentially leading to unauthorized access and complete takeover of administrator accounts. The main concern is confirming if your organization utilizes this specific plugin and is therefore exposed.
- Allows attackers to bypass login controls.
- Affects secure user authentication processes.
- Confirm relevance and exposure of this plugin.
Attack Path
How an attacker could exploit the issue
An unauthenticated attacker can exploit this vulnerability by crafting a malicious SAML response. The plugin incorrectly processes the signature method from this response, allowing the attacker to forge a valid assertion. This forged assertion can then be used to bypass authentication and take over any WordPress account, including administrator accounts.
- Attacker needs no prior access.
- Forged SAML response bypasses signature validation.
- Full administrator account takeover.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability could allow an unauthenticated attacker to bypass authentication and take over any WordPress account, including administrator accounts, by forging a SAML assertion. This could lead to unauthorized access and control of the WordPress site.
- WordPress accounts and administrator privileges at risk.
- Unauthenticated attackers can forge SAML assertions.
- Full account takeover and site control.
Operational Fix
Recommended remediation, mitigation, and detection steps
The SAML Single Sign On – SSO Login plugin for WordPress, specifically the `Mo_SAML_Utilities::mo_saml_cast_key()` function, is susceptible to an authentication bypass. This vulnerability arises from the plugin's failure to properly validate the SAML `SignatureMethod` Algorithm, allowing unauthenticated attackers to forge SAML assertions, obtain valid WordPress authentication cookies, and gain full administrative control. Immediate action should focus on identifying all instances of this plugin, assessing their exposure and business criticality, locating the accountable application or platform owner, and developing a risk-based remediation plan.
- WordPress application owners.
- Verify SAML plugin exposure and criticality.
- Plan vendor-coordinated updates.