Home

Description

The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.2.5. This makes it possible for unauthenticated attackers to bypass authentication and log in as other users, including administrators.

PUBLISHED Reserved 2026-02-17 | Published 2026-03-03 | Updated 2026-03-03 | Assigner Wordfence




CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-288 Authentication Bypass Using an Alternate Path or Channel

Product status

Default status
unaffected

* (semver)
affected

Timeline

2026-02-05:Discovered
2026-02-17:Vendor Notified
2026-03-02:Disclosed

Credits

Nabil Irawan finder

References

www.wordfence.com/...-55f9-4095-a0ba-48ef9434606a?source=cve

plugins.trac.wordpress.org/...r/login-with-azure?rev=3465063

cve.org (CVE-2026-2628)

nvd.nist.gov (CVE-2026-2628)

Download JSON