Plataforma
wordpress
Componente
login-with-azure
Corrigido em
2.2.6
CVE-2026-2628 represents a critical authentication bypass vulnerability discovered in the All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress. This flaw allows unauthenticated attackers to circumvent authentication mechanisms and potentially gain unauthorized access to user accounts, including administrator privileges. The vulnerability impacts versions of the plugin up to and including 2.2.5, with a fix available in version 2.2.6.
The impact of this authentication bypass is severe. An attacker exploiting this vulnerability could gain complete control over WordPress accounts, including those with administrative privileges. This could lead to unauthorized data access, modification, or deletion, as well as the ability to install malicious code or compromise the entire WordPress site. The attacker could impersonate legitimate users, escalate privileges, and potentially pivot to other systems on the network if the WordPress installation has access to sensitive resources. The ease of exploitation, combined with the widespread use of WordPress and SSO plugins, makes this a high-risk vulnerability.
CVE-2026-2628 was publicly disclosed on March 3, 2026. While no public proof-of-concept (PoC) has been released at the time of writing, the severity of the vulnerability and the ease of potential exploitation suggest a high probability of exploitation. The vulnerability has not yet been added to the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
WordPress websites utilizing the All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin, particularly those running versions prior to 2.2.6, are at significant risk. Shared hosting environments where multiple websites share the same server infrastructure are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others. Organizations relying on this plugin for single sign-on (SSO) to Microsoft 365 are also at increased risk.
• wordpress / composer / npm:
wp plugin list | grep "All-in-One Microsoft 365"• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status | grep "All-in-One Microsoft 365"• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/all-in-one-microsoft-365/all-in-one-microsoft-365.php | head -n 1disclosure
Status do Exploit
EPSS
0.30% (percentil 53%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-2628 is to immediately upgrade the All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin to version 2.2.6 or later. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent unauthorized access. Review WordPress user accounts for any suspicious activity. Implement stricter password policies and enable multi-factor authentication (MFA) for all user accounts, especially administrator accounts, as an additional layer of security. After upgrading, verify the fix by attempting to access the WordPress site without authentication – access should be denied.
Update to version 2.2.6, or a newer patched version
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-2628 is a critical authentication bypass vulnerability affecting the All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress, allowing attackers to bypass authentication and gain unauthorized access.
You are affected if you are using the All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress in versions 2.2.5 or earlier.
Upgrade the All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin to version 2.2.6 or later. Temporarily disable the plugin if an immediate upgrade is not possible.
While no public exploit is currently known, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation. Monitor security advisories.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.