CVE-2026-15013 PUBLISHED

SAML Single Sign On <= 5.4.3 - Unauthenticated Authentication Bypass via 'SAMLResponse' Parameter Signature Algorithm Confusion

Assigner: Wordfence
Reserved: 07.07.2026 Published: 16.07.2026 Updated: 16.07.2026

The SAML Single Sign On – SSO Login plugin for WordPress is vulnerable to Authentication Bypass via SAML Signature Algorithm Confusion in all versions up to, and including, 5.4.3. The vulnerability exists because Mo_SAML_Utilities::mo_saml_cast_key() reads the SignatureMethod Algorithm attribute directly from the attacker-controlled SAMLResponse parameter rather than enforcing the locally configured algorithm, causing the plugin to recast the IdP's RSA public key as an HMAC-SHA1 shared secret and validate the forged signature against it. This makes it possible for unauthenticated attackers to forge a SAML assertion targeting any WordPress account — including administrators — obtain valid WordPress authentication cookies, and achieve full administrator-level account takeover.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Product Status

Vendor cyberlord92
Product SAML Single Sign On – SSO Login
Versions Default: unaffected
  • affected from 0 to 5.4.3 (incl.)

Credits

  • lhking finder

References

Problem Types

  • CWE-347 Improper Verification of Cryptographic Signature CWE