CVE-2026-2628

CRITICAL

All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login <2.2.5 - Authentication Bypass

Title source: llm

Description

The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.2.5. This makes it possible for unauthenticated attackers to bypass authentication and log in as other users, including administrators.

Exploits (2)

github SUSPICIOUS 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-2628

View Code ZIP pw:eip

nomisec SUSPICIOUS

by b1gchoi · poc

https://github.com/b1gchoi/CVE-2026-2628-PoC

View Code ZIP pw:eip

References (2)

[Product] https://plugins.trac.wordpress.org/browser/login-with-azure?rev=3465063

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/5e15e36e-55f9-4095-a0ba-48ef9434606a?source=cve

Scores

CVSS v3 9.8

EPSS 0.0042

EPSS Percentile 62.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-288

Status published

Products (1)

cyberlord92/All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login < 2.2.5

Published Mar 03, 2026

Tracked Since Mar 03, 2026