Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Active Directory Accounts Enumerated via PowerShell Script
July 13, 2026
Debian 13 Trixie Released With Security Updates
July 13, 2026
iPhone, MacBook Forensics Expose £113,000 Property Fraud
July 13, 2026
Home/CyberSecurity News/Critical WordPress Plugin Bug Lets Attackers Control Websites
CyberSecurity News

Critical WordPress Plugin Bug Lets Attackers Control Websites

Key Takeaways A critical broken authentication vulnerability (CVE-2026-57807) has been found in the miniOrange WordPress OAuth Single Sign-On (SSO) plugin. The flaw affects all plugin versions up to...

Jennifer sherman
Jennifer sherman
July 13, 2026 3 Min Read
2 0

Key Takeaways

  • A critical broken authentication vulnerability (CVE-2026-57807) has been found in the miniOrange WordPress OAuth Single Sign-On (SSO) plugin.
  • The flaw affects all plugin versions up to and including 38.5.8, allowing unauthenticated attackers to fully compromise websites.
  • With a CVSS score of 9.8, the vulnerability permits full site takeover, including administrator account access.
  • No official patch is currently available from miniOrange, but a virtual patch has been released by Patchstack.

Critical Flaw Exposes WordPress Sites to Full Takeover

A severe security vulnerability in the widely deployed miniOrange WordPress OAuth Single Sign-On (SSO) plugin is leaving countless WordPress websites vulnerable to complete control by remote, unauthenticated attackers. This critical flaw, identified as CVE-2026-57807, carries a near-maximum CVSS score of 9.8, signaling an extreme risk.

Table Of Content

  • Key Takeaways
  • Critical Flaw Exposes WordPress Sites to Full Takeover
  • Unauthenticated Attackers Can Seize Control
  • What You Should Do

The vulnerability was publicly disclosed by Patchstack on July 9, 2026. It is categorized as a Broken Authentication flaw, aligning with the OWASP Top 10’s “Identification and Authentication Failures” (A7) category. Technically, the issue stems from CWE-288 (Authentication Bypass Using an Alternate Path or Channel), specifically exploiting an insecure password recovery mechanism within the plugin. This method bypasses crucial authentication controls, correlating with CAPEC-50: Password Recovery Exploitation.

All versions of the miniOrange OAuth Single Sign-On (SSO) plugin, up to and including 38.5.8, are susceptible. Exploitation requires no prior authentication, no existing user account, and no user interaction, making it exceptionally easy for attackers to leverage from any location on the internet.

Unauthenticated Attackers Can Seize Control

The core of the vulnerability lies in a flawed password recovery process that allows an unauthenticated remote attacker to completely circumvent standard login procedures. Once exploited, the attacker can authenticate as any user on the WordPress site, including administrative accounts. This grants them full control over the website, compromising its confidentiality, integrity, and availability.

Successful exploitation can lead to a range of severe consequences, including full website takeover, injection of malicious content, exfiltration of sensitive data, installation of backdoors, and potential lateral movement within the broader hosting environment. Patchstack has highlighted this as a high-priority vulnerability, anticipating that it will be rapidly incorporated into mass-exploitation campaigns targeting numerous websites simultaneously, regardless of their size or traffic volume.

While an official security update from miniOrange is not yet available, Patchstack has released a virtual patch to mitigate exploitation attempts until a permanent fix is issued. The vulnerability was initially reported by security researcher Kim Dvash on June 6, 2026, with the NVD formally publishing the CVE record on July 10, 2026.

What You Should Do

  • Site administrators running any version of the miniOrange OAuth Single Sign-On (SSO) plugin up to and including 38.5.8 are strongly advised to immediately deactivate and remove the plugin from all internet-exposed WordPress installations.
  • If immediate removal is not feasible, restrict access to WordPress login and password recovery endpoints. This can be achieved by implementing Web Application Firewall (WAF) rules or IP-based allowlisting to reduce the attack surface.
  • Monitor the official WordPress plugin repository and miniOrange security advisories closely for the release of a patched version, and apply updates as soon as they become available.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Armored Likho APT deploys BusySnake stealer with AI-generated loaders

Next Post

AI Worm Could Regenerate Exploits, Adapt to Defenses in Real Time

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical WordPress Plugin Bug Lets Attackers Control Websites
July 13, 2026
Armored Likho APT deploys BusySnake stealer with AI-generated loaders
July 13, 2026
VEXAIoT Multi-Agent System Automates IoT Reconnaissance and Exploit Execution
July 13, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us