CVE-2026-2628
📋 TL;DR
The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress has an authentication bypass vulnerability that allows unauthenticated attackers to log in as any user, including administrators. This affects all WordPress sites using this plugin up to version 2.2.5. Attackers can gain full administrative control over vulnerable WordPress installations.
💻 Affected Systems
- All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover - attackers gain administrator access, can install backdoors, deface websites, steal sensitive data, or use the site for further attacks.
Likely Case
Administrative account compromise leading to website defacement, data theft, or malware installation.
If Mitigated
Limited impact if strong network segmentation, web application firewalls, and monitoring are in place to detect and block exploitation attempts.
🎯 Exploit Status
The vulnerability is simple to exploit and public proof-of-concept code exists, making weaponization highly probable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.6 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/login-with-azure?rev=3465063
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login'. 4. Click 'Update Now' if available, or manually update to version 2.2.6+. 5. Verify the plugin version after update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the plugin until patched
wp plugin deactivate login-with-azure
Web Application Firewall rule
allBlock suspicious authentication requests to the plugin endpoints
🧯 If You Can't Patch
- Disable the plugin immediately and use alternative authentication methods
- Implement strict network access controls and monitor for authentication bypass attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → look for 'All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login' version 2.2.5 or earlierCheck Version:
wp plugin get login-with-azure --field=versionVerify Fix Applied:
Verify plugin version is 2.2.6 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns
- Multiple failed login attempts followed by successful admin login from new IP
- Plugin-specific authentication bypass attempts in WordPress logs
Network Indicators:
- HTTP requests to plugin authentication endpoints with unusual parameters
- Authentication requests from unexpected IP addresses
SIEM Query:
source="wordpress" AND (plugin="login-with-azure" OR uri_path="/wp-content/plugins/login-with-azure/") AND (status=200 OR auth_success=true) FROM unknown_ips