Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Severe WordPress Plugin Flaw Risks Website Takeover

Severe WordPress Plugin Flaw Risks Website Takeover

Posted on July 13, 2026 By CWS

A major security weakness has been identified in the popular WordPress OAuth Single Sign-On (SSO) plugin created by miniOrange. This vulnerability potentially allows unauthorized remote attackers to gain complete control of millions of WordPress websites.

Details of the Security Vulnerability

The flaw, labeled CVE-2026-57807, was highlighted by Patchstack on July 9, 2026, and it holds a critical CVSS score of 9.8. It falls under the OWASP Top 10 category A7: Identification and Authentication Failures, specifically as a Broken Authentication flaw.

The core of the issue lies in CWE-288, known as Authentication Bypass Using an Alternate Path or Channel. The vulnerability manipulates the plugin’s password recovery mechanism, taking advantage of an alternative authentication route that lacks proper security checks. This is associated with CAPEC-50: Password Recovery Exploitation.

Impact and Exploitation Potential

All versions of the plugin up to 38.5.8 are vulnerable. The attack can be executed without any authentication, prior access, or user interaction, making it highly exploitable and low in complexity. An attacker can bypass login controls using this flaw, potentially impersonating any user, including administrators.

This capability could lead to a complete compromise of the site’s confidentiality, integrity, and availability, allowing for malicious content injection, data theft, backdoor installations, and further infiltration within the hosting environment.

Recommended Actions and Future Outlook

Patchstack has flagged this as a high-priority issue, anticipating widespread exploitation attempts across numerous websites. Currently, miniOrange has not released an official fix, but Patchstack offers a virtual patch to mitigate exploitation until an update is available.

Administrators using any affected version should promptly deactivate and remove the plugin from all public-facing WordPress sites. If immediate removal isn’t possible, it is advised to restrict access to login and password recovery endpoints using Web Application Firewall (WAF) or IP allowlisting.

Security researcher Kim Dvash originally reported the vulnerability on June 6, 2026, with the NVD publishing the CVE record on July 10, 2026. Users should keep an eye on updates from the official WordPress plugin repository and miniOrange for a patched release and apply updates as they are released.

Cyber Security News Tags:authentication flaw, CVE-2026-57807, miniOrange, password recovery, Patchstack, plugin vulnerability, Security, web security, website security, WordPress

Post navigation

Previous Post: EU Sanctions Russian Officers for Cyber Espionage
Next Post: Critical RabbitMQ Flaw Exposes Enterprise Risks

Related Posts

Oracle Releases Critical Patches for 35 Security Flaws Oracle Releases Critical Patches for 35 Security Flaws Cyber Security News
CISOs Role in Driving Secure Digital Transformation CISOs Role in Driving Secure Digital Transformation Cyber Security News
OneLogin AD Connector Vulnerabilities Exposes Authentication Credentials OneLogin AD Connector Vulnerabilities Exposes Authentication Credentials Cyber Security News
Pulsar RAT Attacking Windows Systems via Per-user Run Registry Key and Exfiltrates Sensitive Details Pulsar RAT Attacking Windows Systems via Per-user Run Registry Key and Exfiltrates Sensitive Details Cyber Security News
CISA Alerts on Exploited Microsoft Vulnerabilities CISA Alerts on Exploited Microsoft Vulnerabilities Cyber Security News
Microsoft October 2025 Security Update Causes Active Directory Sync Issues on Windows Server 2025 Microsoft October 2025 Security Update Causes Active Directory Sync Issues on Windows Server 2025 Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • VEXAIoT Revolutionizes IoT Security Testing with AI
  • June 2026 Cybersecurity M&A: 37 Key Deals Unveiled
  • Meta’s New AI Patent: Tracking Emotions via Voice
  • Forensic Analysis Uncovers £113K Property Fraud Scheme
  • Critical RabbitMQ Flaw Exposes Enterprise Risks

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • VEXAIoT Revolutionizes IoT Security Testing with AI
  • June 2026 Cybersecurity M&A: 37 Key Deals Unveiled
  • Meta’s New AI Patent: Tracking Emotions via Voice
  • Forensic Analysis Uncovers £113K Property Fraud Scheme
  • Critical RabbitMQ Flaw Exposes Enterprise Risks

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark