A major security weakness has been identified in the popular WordPress OAuth Single Sign-On (SSO) plugin created by miniOrange. This vulnerability potentially allows unauthorized remote attackers to gain complete control of millions of WordPress websites.
Details of the Security Vulnerability
The flaw, labeled CVE-2026-57807, was highlighted by Patchstack on July 9, 2026, and it holds a critical CVSS score of 9.8. It falls under the OWASP Top 10 category A7: Identification and Authentication Failures, specifically as a Broken Authentication flaw.
The core of the issue lies in CWE-288, known as Authentication Bypass Using an Alternate Path or Channel. The vulnerability manipulates the plugin’s password recovery mechanism, taking advantage of an alternative authentication route that lacks proper security checks. This is associated with CAPEC-50: Password Recovery Exploitation.
Impact and Exploitation Potential
All versions of the plugin up to 38.5.8 are vulnerable. The attack can be executed without any authentication, prior access, or user interaction, making it highly exploitable and low in complexity. An attacker can bypass login controls using this flaw, potentially impersonating any user, including administrators.
This capability could lead to a complete compromise of the site’s confidentiality, integrity, and availability, allowing for malicious content injection, data theft, backdoor installations, and further infiltration within the hosting environment.
Recommended Actions and Future Outlook
Patchstack has flagged this as a high-priority issue, anticipating widespread exploitation attempts across numerous websites. Currently, miniOrange has not released an official fix, but Patchstack offers a virtual patch to mitigate exploitation until an update is available.
Administrators using any affected version should promptly deactivate and remove the plugin from all public-facing WordPress sites. If immediate removal isn’t possible, it is advised to restrict access to login and password recovery endpoints using Web Application Firewall (WAF) or IP allowlisting.
Security researcher Kim Dvash originally reported the vulnerability on June 6, 2026, with the NVD publishing the CVE record on July 10, 2026. Users should keep an eye on updates from the official WordPress plugin repository and miniOrange for a patched release and apply updates as they are released.
