CVE-2026-2628

CRITICAL

All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login <2.2.5 - Authentication Bypass

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-2628. PoCs published by XiaomingX, b1gchoi.

AI-analyzed exploit summary The repository claims to provide a PoC for an Azure AD SSO bypass vulnerability but lacks actual exploit code, instead directing users to an external download link. The README contains technical details but no functional code, raising suspicion.

Description

The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.2.5. This makes it possible for unauthenticated attackers to bypass authentication and log in as other users, including administrators.

Exploits (2)

github SUSPICIOUS 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-2628

View Code ZIP pw:eip

The repository claims to provide a PoC for an Azure AD SSO bypass vulnerability but lacks actual exploit code, instead directing users to an external download link. The README contains technical details but no functional code, raising suspicion.

Classification

Suspicious 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Theoretical

Target: All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login ≤ 2.2.5

No auth needed

Prerequisites: Target runs vulnerable plugin (≤ 2.2.5) · Known user email

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Mar 04, 2026 Full analysis →

nomisec SUSPICIOUS

by b1gchoi · poc

https://github.com/b1gchoi/CVE-2026-2628-PoC

View Code ZIP pw:eip

The repository claims to provide a PoC for an Azure AD SSO bypass vulnerability but lacks actual exploit code, instead redirecting users to an external download link. The README contains technical details but no functional code, raising suspicion of a social engineering lure.

Classification

Suspicious 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Theoretical

Target: All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login ≤ 2.2.5

No auth needed

Prerequisites: Vulnerable plugin version · Known user email

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Mar 03, 2026 Full analysis →

References (2)

Core 2

Core References

Product

https://plugins.trac.wordpress.org/browser/login-with-azure?rev=3465063

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/5e15e36e-55f9-4095-a0ba-48ef9434606a?source=cve

Scores

CVSS v3 9.8

EPSS 0.0045

EPSS Percentile 64.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-288

Status published

Products (1)

cyberlord92/All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login < 2.2.5

Published Mar 03, 2026

Tracked Since Mar 03, 2026