Overview
CVE-2026-15013 is a critical authentication bypass vulnerability (CVSS 9.8) in the SAML Single Sign On – SSO Login WordPress plugin by miniOrange (cyberlord92), affecting all versions through 5.4.3. An unauthenticated remote attacker can forge SAML assertions and authenticate as any WordPress account — including site administrators — by exploiting an RSA-to-HMAC signature algorithm confusion flaw.
The vulnerability was discovered and responsibly disclosed by Wordfence, which serves as the CVE Numbering Authority (CNA) for this advisory.
| Field | Value |
|---|---|
| CVE | CVE-2026-15013 |
| CVSS v3.1 | 9.8 Critical |
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-347 — Improper Verification of Cryptographic Signatures |
| Affected | all versions ≤ 5.4.3 |
| Fixed | 5.4.4 |
Root Cause — Algorithm Confusion
The vulnerability resides in Mo_SAML_Utilities::mo_saml_cast_key(). When processing an inbound SAMLResponse, this function reads the SignatureMethod Algorithm attribute from within the attacker-controlled SAML assertion itself, rather than enforcing the server-configured algorithm. This enables a classic RSA-to-HMAC substitution attack:
| Step | Normal Flow | Attack Flow |
|---|---|---|
| Signature algorithm | Server enforces RSA-SHA256 | Attacker specifies HMAC-SHA1 in the assertion |
| Key used to verify | IdP's RSA public key | Attacker uses RSA public key as HMAC secret |
| Outcome | Legitimate assertion verified | Forged assertion accepted as valid |
Because the IdP's RSA public key is public by design (published in metadata), the attacker can trivially sign any forged assertion with it as an HMAC secret and have it pass signature validation.
This is the SAML equivalent of the well-known JWT RS256→HS256 algorithm confusion attack.
Exploitation
The attack is fully remote and requires no prior authentication. The only prerequisite is access to the IdP's RSA public key — which is publicly available in standard SAML metadata.
Attack steps:
- Retrieve the IdP's RSA public key from the SAML metadata endpoint.
- Craft a
SAMLResponsetargeting the desired WordPress account (e.g., admin user ID 1). - Set the
SignatureMethod Algorithminside the assertion tohttp://www.w3.org/2000/09/xmldsig#hmac-sha1. - Sign the forged assertion using the RSA public key bytes as the HMAC-SHA1 secret.
- POST the crafted
SAMLResponseto the WordPress SAML Assertion Consumer Service (ACS) endpoint. - The plugin accepts the forged signature and issues authenticated WordPress session cookies for the target account.
No public PoC exploit code was available at time of disclosure.
Impact
Successful exploitation grants full WordPress administrative access to the targeted account:
- Confidentiality — read all posts, settings, user data, installed credentials
- Integrity — modify content, settings, users; install malicious plugins or backdoors
- Availability — disable the site, delete content, lock out legitimate administrators
Any WordPress site using SAML SSO for authentication is at elevated risk, as administrator accounts are the primary SAML login targets.
Affected Products
- SAML Single Sign On – SSO Login (WordPress plugin slug:
miniorange-saml-20-single-sign-on) by miniOrange - All versions ≤ 5.4.3
- The plugin is widely deployed for enterprise WordPress SAML integration with IdPs such as Azure AD, Okta, Google Workspace, and ADFS.
Remediation
Update immediately to version 5.4.4 or later.
# WP-CLI update
wp plugin update miniorange-saml-20-single-sign-onOr update via Plugins → Installed Plugins → Update in the WordPress admin dashboard.
If patching is not immediately possible:
- Deactivate the plugin — there is no safe server-side configuration workaround that preserves SSO functionality while blocking this attack
- Consider temporarily reverting to password-based WordPress authentication until the patch is applied
Post-Patch Steps
- Review WordPress administrator accounts for unauthorized additions or password changes
- Audit web server logs for
SAMLResponsePOST requests from unexpected sources or IP addresses - Verify the SAML algorithm is now server-enforced by confirming plugin version 5.4.4+ via
wp plugin get miniorange-saml-20-single-sign-on
Background: Algorithm Confusion Attacks
Algorithm confusion attacks occur when a system accepts the algorithm specified in a token rather than enforcing a server-configured algorithm. The pattern was extensively documented in JWT contexts by PortSwigger Research and GitHub Security, and applies equally to SAML:
- In SAML: switch from RSA (asymmetric) to HMAC (symmetric); use the public key as the HMAC secret
- In JWT: switch from RS256 (asymmetric) to HS256 (symmetric); use the public key as the HMAC secret
The fix in both cases is the same: ignore the algorithm field in the incoming token and enforce the algorithm configured on the server.