External risk intelligence

WordPress SAML SSO Plugin Authentication Bypass Allows Account Takeover.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-15013

This vulnerability exists in a SAML Single Sign-On plugin for WordPress. SAML SSO endpoints are designed to be public-facing to facilitate authentication redirects between identity providers and the service provider, making them internet-accessible by design in all standard deployments.

Authentication Bypass

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical security flaw has been identified in a widely used WordPress plugin that facilitates Single Sign-On (SSO) authentication. This vulnerability could allow unauthenticated attackers to bypass security measures, potentially leading to unauthorized access and complete takeover of administrator accounts. The main concern is confirming if your organization utilizes this specific plugin and is therefore exposed.

  • Allows attackers to bypass login controls.
  • Affects secure user authentication processes.
  • Confirm relevance and exposure of this plugin.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by crafting a malicious SAML response. The plugin incorrectly processes the signature method from this response, allowing the attacker to forge a valid assertion. This forged assertion can then be used to bypass authentication and take over any WordPress account, including administrator accounts.

  • Attacker needs no prior access.
  • Forged SAML response bypasses signature validation.
  • Full administrator account takeover.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to bypass authentication and take over any WordPress account, including administrator accounts, by forging a SAML assertion. This could lead to unauthorized access and control of the WordPress site.

  • WordPress accounts and administrator privileges at risk.
  • Unauthenticated attackers can forge SAML assertions.
  • Full account takeover and site control.

Operational Fix

Recommended remediation, mitigation, and detection steps

The SAML Single Sign On – SSO Login plugin for WordPress, specifically the `Mo_SAML_Utilities::mo_saml_cast_key()` function, is susceptible to an authentication bypass. This vulnerability arises from the plugin's failure to properly validate the SAML `SignatureMethod` Algorithm, allowing unauthenticated attackers to forge SAML assertions, obtain valid WordPress authentication cookies, and gain full administrative control. Immediate action should focus on identifying all instances of this plugin, assessing their exposure and business criticality, locating the accountable application or platform owner, and developing a risk-based remediation plan.

  • WordPress application owners.
  • Verify SAML plugin exposure and criticality.
  • Plan vendor-coordinated updates.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the SAML Single Sign On – SSO Login plugin for WordPress?

This plugin acts as a bridge between your WordPress site and an Identity Provider (IdP) like Okta or Azure AD. It enables Single Sign-On, allowing users to log into the site using their corporate credentials instead of a local WordPress password. It handles the secure exchange of SAML tokens, which verify a user's identity.

How does the CVE-2026-15013 authentication bypass work?

This flaw is a cryptographic weakness known as CWE-347, or improper verification of cryptographic signatures. The plugin incorrectly trusts the SAML signature algorithm sent by an untrusted user instead of using the pre-configured local setting. This allows an attacker to manipulate the signature method, tricking the plugin into validating a forged login token as if it were legitimate.

Do I need special access to trigger this vulnerability?

No. An attacker does not need prior access to your site or valid credentials to exploit this bug. The vulnerability is triggered by submitting a crafted, malicious SAML response directly to the plugin's endpoint. However, the bug is not triggered by normal, legitimate user logins or standard interactions that rely on correctly configured and signed assertions from your trusted Identity Provider.

Why is this plugin considered internet-facing?

Halo Surface Signal indicates that SAML SSO endpoints are designed to be public-facing by default. Because these endpoints must communicate with external identity providers to facilitate redirects, they are inherently reachable from the internet in standard deployments, making them visible to potential attackers.

How should I respond to this threat?

Start by identifying all WordPress sites in your environment running this plugin. Once located, check the current version against the affected releases. Coordinate with your application owners to prioritize a transition to the latest patched version from the developer. If an update cannot be applied immediately, consider disabling the plugin's SSO functionality to prevent unauthorized access.

References