CVE-2026-2418
Published: 05 March 2026
Description
The Login with Salesforce WordPress plugin through 1.0.2 does not validate that users are allowed to login through Salesforce, allowing unauthenticated users to be authenticated as any user (such as admin) by simply knowing the email
Mitigating Controls (NIST 800-53 r5)AI
Directly manages identity providers like Salesforce to ensure only permitted users can authenticate, preventing impersonation via unvalidated email logins.
Enforces approved authorizations during authentication processes, addressing the plugin's failure to validate Salesforce login permissions.
Provides robust organizational user identification and authentication, mitigating bypass vulnerabilities in external authentication plugins.
Security SummaryAI
CVE-2026-2418 is a critical authentication bypass vulnerability in the Login with Salesforce WordPress plugin through version 1.0.2. The flaw occurs because the plugin fails to validate whether users are permitted to authenticate via Salesforce, allowing attackers to impersonate any existing user account simply by providing the target's email address.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). Successful exploitation enables attackers to authenticate as any user, including administrators, potentially granting full unauthorized access to the WordPress site and compromising sensitive data or enabling further malicious actions.
The WPScan advisory provides further details on this vulnerability, available at https://wpscan.com/vulnerability/b25c6cbc-39e7-4fa0-af0b-ee7759d2c497/.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a public-facing WordPress plugin (T1190: Exploit Public-Facing Application), enabling unauthenticated attackers to impersonate any existing user account (T1078: Valid Accounts).