CVE-2026-2628

Critical

Published: 03 March 2026

Published

03 March 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0042 62.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.2.5. This makes it possible for unauthenticated attackers to bypass authentication and log…

in as other users, including administrators.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and correction of flaws such as this authentication bypass vulnerability in the WordPress plugin.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Mandates vulnerability scanning and monitoring to identify critical flaws like CVE-2026-2628 in plugins before exploitation.

IA-2 Identification and Authentication (Organizational Users) partial match

prevent

Requires robust identification and authentication for users, addressing the SSO plugin's failure to properly authenticate and prevent bypass.

Security SummaryAI

CVE-2026-2628 is an authentication bypass vulnerability (CWE-288) in the All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress, affecting all versions up to and including 2.2.5. Published on 2026-03-03, the issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact without prerequisites.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction. Successful exploitation allows bypassing authentication mechanisms, enabling login as any user, including administrators, which could lead to full site compromise through unauthorized access to sensitive data and administrative functions.

Advisories and patch details are available via references including the Wordfence threat intelligence page (https://www.wordfence.com/threat-intel/vulnerabilities/id/5e15e36e-55f9-4095-a0ba-48ef9434606a?source=cve) and the WordPress plugin trac repository (https://plugins.trac.wordpress.org/browser/login-with-azure?rev=3465063).

Details

CWE(s): CWE-288

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an authentication bypass in a public-facing WordPress plugin, directly enabling exploitation of a public-facing application for unauthorized access as any user including administrators.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/login-with-azure?rev=3465063
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/5e15e36e-55f9-4095-a0ba-48ef9434606a?source=cve
security@wordfence.com