Home

Description

The Login with Salesforce WordPress plugin through 1.0.2 does not validate that users are allowed to login through Salesforce, allowing unauthenticated users to be authenticated as any user (such as admin) by simply knowing the email

PUBLISHED Reserved 2026-02-12 | Published 2026-03-05 | Updated 2026-03-06 | Assigner WPScan

Problem types

CWE-287 Improper Authentication

Product status

Default status
affected

Any version
affected

Credits

Khaled Alenazi (Nxploited) finder

WPScan coordinator

References

wpscan.com/...rability/b25c6cbc-39e7-4fa0-af0b-ee7759d2c497/ exploit vdb-entry technical-description

cve.org (CVE-2026-2418)

nvd.nist.gov (CVE-2026-2418)

Download JSON