A critical Broken Authentication flaw, tracked as CVE-2026-57807 with a CVSS score of 9.8, has been discovered in the widely used WordPress OAuth Single Sign–On (SSO) plugin, exposing millions of WordPress websites to complete takeover by unauthenticated remote attackers. The vulnerability is classified under OWASP Top 10 category A7: Identification and Authentication Failures, and is rooted in CWE-288 (Authentication Bypass Using an Alternate Path or Channel). It exploits the plugin’s password recovery mechanism via an alternative authentication pathway that fails to enforce authentication controls, mapping to CAPEC-50: Password Recovery Exploitation. All versions of the plugin up to and including 38.5.8 are affected, requiring no authentication or prior account access for exploitation from anywhere on the internet with low attack complexity. An unauthenticated remote attacker can abuse the plugin’s flawed password recovery flow to bypass login controls entirely, resulting in a full compromise of confidentiality, integrity, and availability. Successful exploitation can lead to complete site takeover, malicious content injection, data exfiltration, backdoor installation, and further lateral movement within the hosting environment. This high-priority vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites simultaneously, regardless of site size or traffic levels.
We recommend you to update WordPress OAuth Single Sign–On (SSO) plugin to version 38.5.8[/subscribe_to_unlock_form]
A critical Broken Authentication flaw, tracked as CVE-2026-57807 with a CVSS score of 9.8, has been discovered in the widely used WordPress OAuth Single Sign–On (SSO) plugin, exposing millions of WordPress websites to complete takeover by unauthenticated remote attackers. The vulnerability is classified under OWASP Top 10 category A7: Identification and Authentication Failures, and is rooted in CWE-288 (Authentication Bypass Using an Alternate Path or Channel). It exploits the plugin’s password recovery mechanism via an alternative authentication pathway that fails to enforce authentication controls, mapping to CAPEC-50: Password Recovery Exploitation. All versions of the plugin up to and including 38.5.8 are affected, requiring no authentication or prior account access for exploitation from anywhere on the internet with low attack complexity. An unauthenticated remote attacker can abuse the plugin’s flawed password recovery flow to bypass login controls entirely, resulting in a full compromise of confidentiality, integrity, and availability. Successful exploitation can lead to complete site takeover, malicious content injection, data exfiltration, backdoor installation, and further lateral movement within the hosting environment. This high-priority vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites simultaneously, regardless of site size or traffic levels.
We recommend you to update WordPress OAuth Single Sign–On (SSO) plugin to version 38.5.8[emaillocker id="1283"]
The following reports contain further technical details:
[/emaillocker]