Donate Telegram

CVE-2026-2628

CRITICAL CVSS 3.1: 9.8 EPSS 0.25%

Mar 03, 2026

Updated Mar 03, 2026

Microsoft

Parameter	Value
CVSS	9.8 (CRITICAL)
Type	CWE-288 (Authentication Bypass Using Alternate Path (Обход аутентификации))
Vendor	Microsoft
Public PoC	No

The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.2.5. This makes it possible for unauthenticated attackers to bypass authentication and log in as other users, including administrators.

Attack Parameters

Attack Vector

Network

Атака возможна удалённо

Attack Complexity

Low

Легко эксплуатировать

Privileges Required

None

Права не нужны

User Interaction

None

Не нужно действие пользователя

Impact Assessment

Confidentiality

High

Полная утечка данных

Integrity

High

Полная модификация данных

Availability

High

Полный отказ в обслуживании

CVSS Vector v3.1

Weakness Type (CWE)

CWE-288 Authentication Bypass Using Alternate Path (Обход аутентификации)

References 2

https://plugins.trac.wordpress.org/browser/login-with-azure?rev=3465063

security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/5e15e36e-55f9-4095-a0…

security@wordfence.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-26124

Microsoft

CVE-2026-26122

Microsoft

CVE-2026-21536

Microsoft

CVE-2026-3224

Microsoft

CVE-2025-58107

Microsoft

CVE Details

CVE ID

CVE-2026-2628

Published Date

Mar 03, 2026

Vendor

Microsoft

Severity

CRITICAL

CVSS v3.1 Score

9.8

Critical severity. Immediate action required.

Attack Analysis

Exploitability 3.9/10

How easy to exploit

Impact 5.9/10

Severity of consequences

Exploit Prediction (EPSS)

Probability of Exploit 0.25%

Likelihood of exploitation in next 30 days

Percentile: 47.8th percentile (higher than 47.8% of all CVEs)

Standard patching cycle

Impact

Full data disclosure

Complete data modification

Denial of Service

Source

Editor's Choice