Platform
wordpress
Component
login-with-azure
Fixed in
2.2.6
CVE-2026-2628 represents a critical authentication bypass vulnerability discovered in the All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress. This flaw allows unauthenticated attackers to circumvent authentication mechanisms and potentially gain unauthorized access to user accounts, including administrator privileges. The vulnerability impacts versions of the plugin up to and including 2.2.5, with a fix available in version 2.2.6.
The impact of this authentication bypass is severe. An attacker exploiting this vulnerability could gain complete control over WordPress accounts, including those with administrative privileges. This could lead to unauthorized data access, modification, or deletion, as well as the ability to install malicious code or compromise the entire WordPress site. The attacker could impersonate legitimate users, escalate privileges, and potentially pivot to other systems on the network if the WordPress installation has access to sensitive resources. The ease of exploitation, combined with the widespread use of WordPress and SSO plugins, makes this a high-risk vulnerability.
CVE-2026-2628 was publicly disclosed on March 3, 2026. While no public proof-of-concept (PoC) has been released at the time of writing, the severity of the vulnerability and the ease of potential exploitation suggest a high probability of exploitation. The vulnerability has not yet been added to the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
0.30% (53% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-2628 is to immediately upgrade the All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin to version 2.2.6 or later. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent unauthorized access. Review WordPress user accounts for any suspicious activity. Implement stricter password policies and enable multi-factor authentication (MFA) for all user accounts, especially administrator accounts, as an additional layer of security. After upgrading, verify the fix by attempting to access the WordPress site without authentication – access should be denied.
Update to version 2.2.6, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2628 is a critical authentication bypass vulnerability affecting the All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress, allowing attackers to bypass authentication and gain unauthorized access.
You are affected if you are using the All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress in versions 2.2.5 or earlier.
Upgrade the All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin to version 2.2.6 or later. Temporarily disable the plugin if an immediate upgrade is not possible.
While no public exploit is currently known, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation. Monitor security advisories.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.