CVE-2026-2418 PUBLISHED

Login with Salesforce <= 1.0.2 - Unauthenticated Authentication Bypass

Assigner: WPScan
Reserved: 12.02.2026 Published: 05.03.2026 Updated: 05.03.2026

The Login with Salesforce WordPress plugin through 1.0.2 does not validate that users are allowed to login through Salesforce, allowing unauthenticated users to be authenticated as any user (such as admin) by simply knowing the email

Product Status

Vendor	Unknown
Product	Login with Salesforce
Versions	Default: affected affected from 0 to 1.0.2 (incl.)

Credits

Khaled Alenazi (Nxploited) finder
WPScan coordinator

References

https://wpscan.com/vulnerability/b25c6cbc-39e7-4fa0-af0b-ee7759d2c497/

Problem Types

CWE-287 Improper Authentication CWE