Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1925+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-15013: WordPress SAML SSO Plugin — Algorithm Confusion Auth Bypass
CVE-2026-15013: WordPress SAML SSO Plugin — Algorithm Confusion Auth Bypass

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-15013

CVE-2026-15013: WordPress SAML SSO Plugin — Algorithm Confusion Auth Bypass

The miniOrange SAML Single Sign On plugin for WordPress through version 5.4.3 allows unauthenticated attackers to log in as any user via an RSA-to-HMAC algorithm confusion attack against the SAML signature verification logic.

Dylan H.

Security Team

July 16, 2026
4 min read

Affected Products

  • miniOrange SAML Single Sign On – SSO Login <= 5.4.3

Overview

CVE-2026-15013 is a critical authentication bypass vulnerability (CVSS 9.8) in the SAML Single Sign On – SSO Login WordPress plugin by miniOrange (cyberlord92), affecting all versions through 5.4.3. An unauthenticated remote attacker can forge SAML assertions and authenticate as any WordPress account — including site administrators — by exploiting an RSA-to-HMAC signature algorithm confusion flaw.

The vulnerability was discovered and responsibly disclosed by Wordfence, which serves as the CVE Numbering Authority (CNA) for this advisory.

FieldValue
CVECVE-2026-15013
CVSS v3.19.8 Critical
VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWECWE-347 — Improper Verification of Cryptographic Signatures
Affectedall versions ≤ 5.4.3
Fixed5.4.4

Root Cause — Algorithm Confusion

The vulnerability resides in Mo_SAML_Utilities::mo_saml_cast_key(). When processing an inbound SAMLResponse, this function reads the SignatureMethod Algorithm attribute from within the attacker-controlled SAML assertion itself, rather than enforcing the server-configured algorithm. This enables a classic RSA-to-HMAC substitution attack:

StepNormal FlowAttack Flow
Signature algorithmServer enforces RSA-SHA256Attacker specifies HMAC-SHA1 in the assertion
Key used to verifyIdP's RSA public keyAttacker uses RSA public key as HMAC secret
OutcomeLegitimate assertion verifiedForged assertion accepted as valid

Because the IdP's RSA public key is public by design (published in metadata), the attacker can trivially sign any forged assertion with it as an HMAC secret and have it pass signature validation.

This is the SAML equivalent of the well-known JWT RS256→HS256 algorithm confusion attack.

Exploitation

The attack is fully remote and requires no prior authentication. The only prerequisite is access to the IdP's RSA public key — which is publicly available in standard SAML metadata.

Attack steps:

  1. Retrieve the IdP's RSA public key from the SAML metadata endpoint.
  2. Craft a SAMLResponse targeting the desired WordPress account (e.g., admin user ID 1).
  3. Set the SignatureMethod Algorithm inside the assertion to http://www.w3.org/2000/09/xmldsig#hmac-sha1.
  4. Sign the forged assertion using the RSA public key bytes as the HMAC-SHA1 secret.
  5. POST the crafted SAMLResponse to the WordPress SAML Assertion Consumer Service (ACS) endpoint.
  6. The plugin accepts the forged signature and issues authenticated WordPress session cookies for the target account.

No public PoC exploit code was available at time of disclosure.

Impact

Successful exploitation grants full WordPress administrative access to the targeted account:

  • Confidentiality — read all posts, settings, user data, installed credentials
  • Integrity — modify content, settings, users; install malicious plugins or backdoors
  • Availability — disable the site, delete content, lock out legitimate administrators

Any WordPress site using SAML SSO for authentication is at elevated risk, as administrator accounts are the primary SAML login targets.

Affected Products

  • SAML Single Sign On – SSO Login (WordPress plugin slug: miniorange-saml-20-single-sign-on) by miniOrange
  • All versions ≤ 5.4.3
  • The plugin is widely deployed for enterprise WordPress SAML integration with IdPs such as Azure AD, Okta, Google Workspace, and ADFS.

Remediation

Update immediately to version 5.4.4 or later.

# WP-CLI update
wp plugin update miniorange-saml-20-single-sign-on

Or update via Plugins → Installed Plugins → Update in the WordPress admin dashboard.

If patching is not immediately possible:

  • Deactivate the plugin — there is no safe server-side configuration workaround that preserves SSO functionality while blocking this attack
  • Consider temporarily reverting to password-based WordPress authentication until the patch is applied

Post-Patch Steps

  • Review WordPress administrator accounts for unauthorized additions or password changes
  • Audit web server logs for SAMLResponse POST requests from unexpected sources or IP addresses
  • Verify the SAML algorithm is now server-enforced by confirming plugin version 5.4.4+ via wp plugin get miniorange-saml-20-single-sign-on

Background: Algorithm Confusion Attacks

Algorithm confusion attacks occur when a system accepts the algorithm specified in a token rather than enforcing a server-configured algorithm. The pattern was extensively documented in JWT contexts by PortSwigger Research and GitHub Security, and applies equally to SAML:

  • In SAML: switch from RSA (asymmetric) to HMAC (symmetric); use the public key as the HMAC secret
  • In JWT: switch from RS256 (asymmetric) to HS256 (symmetric); use the public key as the HMAC secret

The fix in both cases is the same: ignore the algorithm field in the incoming token and enforce the algorithm configured on the server.

References

  • NVD — CVE-2026-15013
  • Wordfence Advisory ee95092d
  • miniOrange SAML Plugin — WordPress.org
  • miniOrange SAML Changelog
  • The Fragile Lock: SAML Authentication Bypasses — PortSwigger Research
#CVE-2026-15013#WordPress#SAML#SSO#Authentication Bypass#CWE-347#Critical

Related Articles

CVE-2026-12492: WooCommerce OTP Login Plugin Auth Bypass — Full Admin Takeover

The Happy Coders OTP Login for WooCommerce plugin before 2.8 allows unauthenticated attackers to bypass OTP verification and log in as any WordPress user, including administrators.

3 min read

CVE-2026-41005: Cloud Foundry UAA SAML Signature Bypass

A high-severity vulnerability (CVSS 9.0) in Cloud Foundry UAA allows attackers to bypass authentication by exploiting the incorrect treatment of XML...

5 min read

CVE-2026-3564: ConnectWise ScreenConnect Auth Bypass via Server Cryptographic Material

A critical authentication bypass vulnerability (CVSS 9.0) in ConnectWise ScreenConnect versions prior to 26.1 allows an actor with access to server-level...

3 min read
Back to all Security Alerts