Does OneLogin SAML SSO have any unpatched vulnerabilities?

No. All known vulnerabilities in OneLogin SAML SSO have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is OneLogin SAML SSO compatible with WordPress 5.9.13?

According to WordPress.org data, OneLogin SAML SSO 3.4.0 has been tested up to WordPress 5.9.13. Check the plugin's changelog for the latest compatibility information.

How often is OneLogin SAML SSO updated?

OneLogin SAML SSO was last updated on Dec 9, 2025. Frequent updates are generally a positive security signal.

What is OneLogin SAML SSO's security score?

OneLogin SAML SSO has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

OneLogin SAML SSO Security & Risk Analysis

wordpress.org/plugins/onelogin-saml-sso

This plugin provides single sign-on via SAML and gives users one-click access to their WordPress accounts from identity providers like OneLogin.

7K active installs v3.4.0 PHP + WP 2.1.2+ Updated Dec 9, 2025

active-directorypasswordsamlsingle-sign-onsso

A · Safe

CVEs total5

Unpatched0

Last CVEMar 31, 2021

Plugin page Download

Safety Verdict

Is OneLogin SAML SSO Safe to Use in 2026?

Generally Safe

Score 96/100

OneLogin SAML SSO has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Mar 31, 2021Updated 3mo ago

Risk Assessment

The 'onelogin-saml-sso' plugin v3.4.0 exhibits a mixed security posture. On one hand, the static analysis reveals a commendable absence of directly exposed entry points like AJAX handlers, REST API routes, or shortcodes without authentication. All SQL queries are properly prepared, and file operations are minimal. However, the output escaping is a significant concern, with 57% of outputs not being properly escaped, potentially leading to cross-site scripting (XSS) vulnerabilities.

The taint analysis shows one flow with unsanitized paths, which, while not classified as critical or high, still represents a potential risk for path traversal or information disclosure. The plugin's vulnerability history is concerning, with 5 known CVEs, including a past critical vulnerability related to improper authentication and others involving open redirects, XML entity expansion, and hard-coded credentials. The fact that the last known vulnerability was in 2021, and there are currently no unpatched CVEs, suggests that these past issues may have been addressed, but the historical pattern indicates a tendency for security weaknesses.

In conclusion, while the plugin has implemented some good security practices like prepared statements and limited attack surface, the poor output escaping and past vulnerability history present notable risks. The lack of critical or high severity findings in the current static and taint analysis is positive, but the historical context and the unescaped outputs warrant careful consideration and potential further investigation.

Key Concerns

Significant portion of outputs not properly escaped
One flow with unsanitized paths
History of 5 known CVEs, including critical

Vulnerabilities

OneLogin SAML SSO Security Vulnerabilities

CVEs by Year

3 CVEs in 2016

2016

1 CVE in 2019

2019

1 CVE in 2021

2021

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

5 total CVEs

WF-dede9cfc-61f1-4df1-bd40-e5ae73199575-onelogin-saml-ssomedium · 4.7URL Redirection to Untrusted Site ('Open Redirect')

OneLogin SAML SSO <= 3.1.2 - Open Redirection

Mar 31, 2021 Patched in 3.2.0 (1028d)

WF-4ac3dae6-1890-44ba-9671-84f77807ffe5-onelogin-saml-ssohigh · 7.5Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

OneLogin SAML SSO <= 2.8.0 - Distributed Denial-of-Service

Jan 28, 2019 Patched in 3.0.0 (1821d)

WF-b524e239-0a7c-4515-8126-4fd298e43bdd-onelogin-saml-ssohigh · 7.3Improper Verification of Cryptographic Signature

OneLogin SAML SSO <= 2.4.2 - Use of Vulnerable Component

Oct 14, 2016 Patched in 2.4.3 (2657d)

WF-c5a5c209-0ccd-4fa9-b22d-05bb22247441-onelogin-saml-ssocritical · 9.8Improper Authentication

OneLogin SAML-SSO Plugin < 2.1.6 - Authentication Bypass

Jun 6, 2016 Patched in 2.1.6 (2787d)

CVE-2016-10928high · 7.5Use of Hard-coded Credentials

OneLogin SAML SSO < 2.2.0 - Authentication Bypass

Jan 21, 2016 Patched in 2.2.0 (2924d)

Code Analysis

Analyzed Mar 16, 2026

OneLogin SAML SSO Code Analysis

Dangerous Functions

Raw SQL Queries

25 prepared

Unescaped Output

102

77 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared25 total queries

Output Escaping

43% escaped179 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

4 flows1 with unsanitized paths

saml_custom_login_footer (php\functions.php:101)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

OneLogin SAML SSO Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 21

actioninitonelogin_saml.php:41

actionadmin_menuonelogin_saml.php:44

actioninitonelogin_saml.php:47

actionnetwork_admin_menuonelogin_saml.php:51

actionnetwork_admin_edit_network_saml_global_settingsonelogin_saml.php:52

actionnetwork_admin_edit_network_saml_settingsonelogin_saml.php:53

actionnetwork_admin_edit_network_saml_injectiononelogin_saml.php:54

actionnetwork_admin_edit_network_saml_enableronelogin_saml.php:55

filterallow_password_resetonelogin_saml.php:64

actionlost_passwordonelogin_saml.php:67

actionretrieve_passwordonelogin_saml.php:68

actionpassword_resetonelogin_saml.php:69

actioninitonelogin_saml.php:76

actioninitonelogin_saml.php:81

actioninitonelogin_saml.php:99

actioninitonelogin_saml.php:113

filterlogin_messageonelogin_saml.php:115

actionregister_formonelogin_saml.php:119

actionlogin_enqueue_scriptsonelogin_saml.php:128

actionadmin_footerphp\functions.php:674

actionadmin_footerphp\functions.php:677

Maintenance & Trust

OneLogin SAML SSO Maintenance & Trust

Maintenance Signals

WordPress version tested5.9.13

Last updatedDec 9, 2025

PHP min version

Downloads193K

Community Trust

Rating88/100

Number of ratings13

Active installs7K

Alternatives

OneLogin SAML SSO Alternatives

SAML Single Sign On – SSO Login

miniorange-saml-20-single-sign-on

SAML SSO (Single Sign On) for WordPress Login with Okta, Entra ID, Azure AD/B2C, G-Suite, Shibboleth, OneLogin, Keycloak, Salesforce [24/7 Support]

10K 6 CVEs

Cloud SAML SSO – Single Sign On Login

cloud-sso-single-sign-on

WordPress SSO using SAML IDPs to enable single sign on using Azure AD, Office 365, Okta, ADFS, KeyCloak, OneLogin, Salesforce, Google Apps Gsuite

100 3 CVEs

SSO Login – Universal (OAuth + SAML)

authress

100

SSO Login provides user login, business authentication, SSO, Social login, and Single Sign-On for all sites.

10 No CVEs

Frontegg SAML SSO

frontegg-saml-sso

100

Replace the WordPress login and logout flows with secure SAML-based authentication via Frontegg. Easily configure your SSO app from the admin panel.

0 No CVEs

OAuth Single Sign On – SSO (OAuth Client)

miniorange-login-with-eve-online-google-facebook

WordPress SSO (Single Sign On) with Azure, Azure B2C, Cognito, Okta, Classlink, Discord, Clever, Keycloak, OAuth & OpenID Providers [24/7 SUPPORT].

7K 10 CVEs

Developer Profile

OneLogin SAML SSO Developer Profile

sixtomartin

1 plugin · 7K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

2243 days

View full developer profile

Detection Fingerprints

How We Detect OneLogin SAML SSO

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/onelogin-saml-sso/assets/js/hide-login-form.js

Script Paths

assets/js/hide-login-form.js

HTML / DOM Fingerprints

Data Attributes

data-saml-login-urldata-saml-logout-url

JS Globals

oneLoginSAML

FAQ