Security Alert Summary
The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress contains an authentication bypass vulnerability in all versions up to and including 2.2.5 that can allow unauthenticated attackers to bypass authentication and log in as other users, including administrators.
CVE Details
- CVE ID: CVE-2026-2628
- Affected plugin / component: The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress (as stated in the CVE description)
- Affected versions: All versions up to, and including, 2.2.5 (as stated in the CVE description)
- Published: March 3, 2026 at 2:16:10 AM
- Last modified: March 3, 2026 at 2:16:10 AM
- CVSS v3.1: Base Score 9.8; Severity: CRITICAL; Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - Authentication / privileges / user interaction: Privileges Required: NONE; User Interaction: NONE; Attack Vector: NETWORK; Attack Complexity: LOW; Scope: UNCHANGED
- Primary impact: Confidentiality: HIGH; Integrity: HIGH; Availability: HIGH
- CWE / weakness: CWE-288 (as listed in the CVE entry)
Technical Details
According to the CVE description, the plugin contains an authentication bypass vulnerability affecting all versions up to and including 2.2.5. This flaw allows an unauthenticated attacker to bypass normal authentication checks and authenticate as other users, including administrator accounts.
The CVE entry does not name specific functions, REST API endpoints, or code paths; it describes the issue at the authentication level. Because the vulnerability permits unauthenticated access and results in a high impact to confidentiality, integrity, and availability, successful exploitation can provide the attacker with the same access rights as the impersonated user.
How This Could Impact Your Website
Consider a small organization running WordPress with multiple accounts: a site owner (administrator), internal staff members (editors, authors), and an external contractor or contributor (contributor or vendor). If this vulnerability is present and exploitable on your site, an unauthenticated attacker could log in as an existing user — potentially as an administrator — without valid credentials.
- An attacker authenticated as an administrator could access site settings, install or remove plugins and themes, create or modify content, and access user data stored in the admin area.
- Compromise of contributor or staff accounts could expose internal email addresses and other personal data, increasing the risk of targeted phishing or social engineering against staff and external contractors.
- Unauthorized administrative actions could lead to data alteration, content tampering, or downtime, consistent with the CVSS impacts to integrity and availability.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is made available. (The CVE entry specifies vulnerability through version 2.2.5; a fixed version is not specified in the CVE entry.)
- Temporarily disable or remove the plugin if you cannot immediately confirm that you are running a patched release.
- Review and reduce unnecessary user roles and privileges, especially for contributors and low-trust accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins and keep all themes and plugins up to date.
- Monitor site activity and logs for unusual behavior, such as unexpected administrator logins or new administrative users.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
