Auth bypass enables admin takeover in WordPress Azure AD SSO
TL;DR — A missing OIDC id_token validation step in the login-with-azure WordPress SSO plugin can let unauthenticated attackers forge tokens and sign in as administrators.
What happened
All-in-One Microsoft 365 & Entra ID/Azure AD SSO Login (aka login-with-azure) is a WordPress plugin that adds Microsoft Entra ID (Azure AD) single sign-on (SSO) to WordPress using OpenID Connect (OIDC). YesWeHack published a write-up describing CVE-2026-2628, a Critical authentication bypass caused by missing id_token validation (notably signature verification against the IdP’s JWKS keys), allowing an unauthenticated attacker to craft a request to the plugin’s authentication callback and log in as an arbitrary WordPress user (including administrators).
| Item | Source value |
|---|---|
| Affected software | WordPress plugin All-in-One Microsoft 365 & Entra ID/Azure AD SSO Login (login-with-azure) |
| Impact | Authentication bypass; login as arbitrary user; admin takeover |
| Severity | CVSS v3.1 9.8 (Critical) |
| Affected versions | <= 2.2.5 |
| Patch status (per source) | Patched in 2.2.6 |
OIDC implementation mistakes (especially token validation gaps) are a recurring failure mode in SSO integrations. Because SSO plugins sit directly on the authentication boundary and can yield “looks legitimate” admin logins, this class of bug tends to be high-leverage and operationally hard to detect at scale.
Who is impacted
- WordPress sites using
All-in-One Microsoft 365 & Entra ID/Azure AD SSO Login (login-with-azure)at versions<= 2.2.5. - Deployments relying on this plugin for Microsoft Entra ID (Azure AD) SSO, where a forged OIDC
id_tokencan be submitted to the authentication callback path. - Higher-risk sites where WordPress administrator access implies immediate ability to upload plugins/themes, change authentication settings, and plant persistent access.
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
- YesWeHack’s mitigation guidance (verbatim):
"Upgrade to version 2.2.6 or later, which addresses the vulnerability" "Otherwise, disable the plugin" "Restrict inbound access to the authentication callback endpoint using IP filtering where possible"
- If you need to prioritize detection work, YesWeHack notes correlation-based signals such as:
- WordPress logins without corresponding Microsoft Entra ID sign-in events.
- Malformed or unusual OAuth/OIDC parameters submitted to the callback endpoint.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.