CVE-2026-15013 in SAML Single Sign On Plugininfo

Summary

by MITRE • 07/16/2026

The SAML Single Sign On – SSO Login plugin for WordPress is vulnerable to Authentication Bypass via SAML Signature Algorithm Confusion in all versions up to, and including, 5.4.3. The vulnerability exists because `Mo_SAML_Utilities::mo_saml_cast_key()` reads the `SignatureMethod` Algorithm attribute directly from the attacker-controlled `SAMLResponse` parameter rather than enforcing the locally configured algorithm, causing the plugin to recast the IdP's RSA public key as an HMAC-SHA1 shared secret and validate the forged signature against it. This makes it possible for unauthenticated attackers to forge a SAML assertion targeting any WordPress account — including administrators — obtain valid WordPress authentication cookies, and achieve full administrator-level account takeover.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability in the SAML Single Sign On – SSO Login plugin for WordPress represents a critical authentication bypass flaw that undermines the security of single sign-on implementations. This issue affects all versions up to and including 5.4.3, making it a widespread concern for WordPress installations relying on SAML authentication. The root cause lies in how the plugin handles signature validation processes, specifically within the Mo_SAML_Utilities::mo_saml_cast_key() function that directly interprets the SignatureMethod attribute from attacker-controlled SAMLResponse parameters without proper validation against locally configured security settings.

The technical flaw exploits a fundamental weakness in cryptographic algorithm handling where the plugin fails to enforce consistent signature verification protocols. When processing SAML assertions, the system reads the SignatureMethod Algorithm attribute directly from the SAMLResponse parameter instead of cross-verifying it against the pre-configured security parameters. This misconfiguration enables attackers to manipulate the signature validation process by forcing the system to interpret an RSA public key as an HMAC-SHA1 shared secret. The vulnerability creates a cryptographic confusion scenario where the plugin's internal logic becomes susceptible to manipulation through crafted SAML responses that appear legitimate to the authentication system but contain maliciously altered signature methods.

The operational impact of this vulnerability extends far beyond simple unauthorized access, enabling complete account takeover scenarios with administrative privileges. Unauthenticated attackers can forge SAML assertions targeting any WordPress user account including administrators, bypassing all standard authentication mechanisms. The forged assertions allow attackers to obtain valid WordPress authentication cookies that grant full administrative control over affected systems. This level of compromise enables attackers to modify content, install malicious plugins, access sensitive data, and potentially establish persistent backdoors within the WordPress environment.

This vulnerability aligns with CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and CWE-295 (Improper Certificate Validation), while also mapping to ATT&CK techniques involving credential access through forged authentication tokens and privilege escalation via administrative account compromise. The flaw demonstrates poor input validation practices in cryptographic operations and highlights the importance of enforcing consistent security policies across all authentication mechanisms. Organizations utilizing this plugin face significant risk of complete system compromise, with potential data breaches and unauthorized modifications to critical WordPress installations. The vulnerability's exploitation requires minimal technical expertise, making it particularly dangerous as it can be leveraged by attackers with basic knowledge of SAML protocols.

Mitigation strategies should focus on immediate plugin updates to versions that address the signature algorithm confusion issue, implementing additional security layers such as multi-factor authentication, and establishing proper monitoring for suspicious authentication patterns. Organizations should also review their SAML configuration settings to ensure cryptographic algorithms are properly enforced and validate all external authentication responses through multiple verification mechanisms. Network-level controls including intrusion detection systems and firewall rules can help detect anomalous SAML traffic patterns that may indicate exploitation attempts. Regular security audits of authentication plugins and proper patch management procedures are essential to prevent similar vulnerabilities from being exploited in the future, while also ensuring compliance with industry standards for secure authentication implementation.

Responsible

Wordfence

Reservation

07/08/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!