Attack Vectors
The vulnerability CVE-2026-2628 affects the WordPress plugin All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login (slug: login-with-azure) in versions up to and including 2.2.5. Because the issue is an authentication bypass, an attacker does not need valid credentials to attempt access.
In practical terms, this means an external, unauthenticated attacker could potentially log in as another user on your site—including administrator accounts—without going through the normal sign-in process. This is why the severity is rated Critical (CVSS 9.8).
Security Weakness
The core weakness is an authentication bypass in the All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin (versions <= 2.2.5), which can allow login as other users, including administrators, without authentication.
This is especially high-risk for organizations that rely on SSO-related plugins as a trusted gateway into WordPress administration, because successful exploitation can effectively negate the protections you expect from standard login controls.
Technical or Business Impacts
If exploited, this issue can lead to full administrative takeover of the WordPress site. From a business perspective, that can translate into website defacement, unauthorized content changes, disruption of campaigns and lead-generation pages, and loss of control over brand messaging.
For executive leadership and compliance teams, the bigger concern is exposure of sensitive data and operational risk: attackers with admin access can create new accounts, alter security settings, and potentially access customer or prospect information stored in WordPress or connected plugins. This can trigger incident response costs, reputational damage, and regulatory or contractual reporting obligations depending on what data is accessible.
Recommended remediation: Update All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login to version 2.2.6 or newer (patched). For reference, the disclosed source is Wordfence’s vulnerability record: Wordfence Threat Intel entry.
Similar Attacks
Authentication bypass and “login as admin” style vulnerabilities have been used in real-world compromises across many platforms and products. Examples of widely reported incidents include the 2023 MOVEit Transfer exploitation that led to large-scale data theft: CISA Advisory AA23-158A.
Another well-known example is the 2021 Microsoft Exchange “ProxyLogon” incident, which enabled widespread unauthorized access and downstream compromise in many organizations: CISA Advisory AA21-062A.
Recent Comments