Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-15013

CVE-2026-15013: WordPress SAML SSO Auth Bypass Vulnerability

CVE-2026-15013 is an authentication bypass flaw in the WordPress SAML Single Sign On plugin that enables attackers to forge SAML assertions and gain admin access. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-15013 Overview

CVE-2026-15013 is a critical authentication bypass vulnerability in the SAML Single Sign On – SSO Login plugin for WordPress. All versions up to and including 5.4.3 are affected. The flaw allows unauthenticated attackers to forge SAML assertions and take over any WordPress account, including administrators. The root cause is a signature algorithm confusion issue in the Mo_SAML_Utilities::mo_saml_cast_key() function, which trusts the algorithm attribute supplied in the attacker-controlled SAMLResponse parameter. This vulnerability is categorized under [CWE-347] (Improper Verification of Cryptographic Signature).

Critical Impact

Unauthenticated attackers can forge SAML assertions to authenticate as any WordPress user, including administrators, resulting in full site compromise.

Affected Products

  • SAML Single Sign On – SSO Login plugin for WordPress (miniorange-saml-20-single-sign-on)
  • All versions up to and including 5.4.3
  • WordPress sites relying on the plugin for SAML-based authentication

Discovery Timeline

  • 2026-07-16 - CVE-2026-15013 published to NVD
  • 2026-07-16 - Last updated in NVD database

Technical Details for CVE-2026-15013

Vulnerability Analysis

The vulnerability resides in how the plugin validates SAML response signatures. Security Assertion Markup Language (SAML) responses include a SignatureMethod element that identifies the algorithm used to sign the assertion. A correct implementation must enforce the algorithm bound to the Identity Provider (IdP) configuration. This plugin instead reads the algorithm identifier directly from the incoming SAMLResponse and hands it to the key-casting routine. An attacker can therefore choose which algorithm the verifier will use.

Root Cause

The Mo_SAML_Utilities::mo_saml_cast_key() function reads the SignatureMethod Algorithm attribute from the untrusted SAMLResponse parameter. It does not compare that value against the locally configured signature algorithm associated with the IdP. When the attacker specifies HMAC-SHA1 as the algorithm, the plugin recasts the IdP's RSA public key material as an HMAC shared secret. Because the public key is publicly known, the attacker can compute a valid HMAC-SHA1 tag over a forged assertion using that same key value. See the WordPress Plugin Code Review for the vulnerable code path.

Attack Vector

An unauthenticated remote attacker crafts a SAML response containing an assertion for a target WordPress user, such as an administrator. The attacker sets the SignatureMethod Algorithm to HMAC-SHA1 and computes the signature using the IdP's published RSA public key as the HMAC key. The plugin accepts the forged signature as valid, issues WordPress authentication cookies for the impersonated user, and grants full session access. See the Wordfence Vulnerability Report for additional detail.

Detection Methods for CVE-2026-15013

Indicators of Compromise

  • SAML responses containing SignatureMethod Algorithm set to http://www.w3.org/2000/09/xmldsig#hmac-sha1 where the configured IdP uses RSA-SHA256 or RSA-SHA1.
  • Unexpected WordPress administrator logins originating from the SAML ACS (Assertion Consumer Service) endpoint without a corresponding IdP session.
  • New administrator accounts, plugin installations, or theme edits following a SAML login event.
  • WordPress wp_login events for privileged users lacking a matching IdP authentication log entry.

Detection Strategies

  • Inspect web server access logs for POST requests to the plugin's ACS endpoint and capture the SAMLResponse parameter for offline analysis.
  • Parse captured SAML responses and flag any ds:SignatureMethod value that does not match the IdP's configured signing algorithm.
  • Correlate WordPress authentication events with IdP-side authentication logs to identify assertions that were never issued by the IdP.
  • Alert on rapid privilege changes, plugin uploads, or PHP file modifications immediately following a SAML login.

Monitoring Recommendations

  • Enable verbose logging on the SAML plugin and forward logs to a centralized SIEM for retention and analysis.
  • Monitor for the creation of administrator accounts and changes to wp_users and wp_usermeta tables.
  • Track outbound network connections from the WordPress host that could indicate post-exploitation activity.
  • Baseline expected SAML signature algorithms per IdP and alert on any deviation.

How to Mitigate CVE-2026-15013

Immediate Actions Required

  • Update the SAML Single Sign On – SSO Login plugin to the patched release published in the WordPress Plugin Change Set.
  • Audit all WordPress administrator and editor accounts for unexpected additions or role changes.
  • Rotate WordPress authentication salts in wp-config.php to invalidate any active forged sessions.
  • Review recent plugin, theme, and core file changes for unauthorized modifications.

Patch Information

The vendor addressed the issue in the release following 5.4.3. The fix enforces the locally configured signature algorithm rather than trusting the SignatureMethod attribute from the incoming SAMLResponse. Administrators should upgrade to the latest available version of the miniorange-saml-20-single-sign-on plugin.

Workarounds

  • Disable the SAML SSO plugin until the patched version can be installed and validated.
  • Restrict access to the WordPress SAML ACS endpoint using a web application firewall rule that blocks requests where the SAMLResponseSignatureMethod is HMAC-based.
  • Require multi-factor authentication for WordPress administrator accounts as an additional layer of defense.
  • Temporarily switch privileged users to native WordPress authentication while the plugin is disabled.
bash
# Example WP-CLI commands to update the plugin and audit administrators
wp plugin update miniorange-saml-20-single-sign-on
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.