WP-Safety
CVE-2020-26511

WPO365 | LOGIN <= 11.6 - Authentication Bypass

criticalImproper Authentication
9.1
CVSS Score
9.1
CVSS Score
critical
Severity
11.7
Patched in
1208d
Time to patch

Description

The WPO365 | LOGIN plugin before v11.7 for WordPress allows use of a symmetric algorithm to decrypt a JWT token. This leads to authentication bypass.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
None
Availability

Technical Details

Affected versions<=11.6
PublishedOctober 2, 2020
Last updatedJanuary 22, 2024
Affected pluginwpo365-login
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/3d4cf93d-61af-4721-9751-9891e08ce7b8?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database