Critical WordPress Plugin Bug Lets Attackers Control Websites
Key Takeaways A critical broken authentication vulnerability (CVE-2026-57807) has been found in the miniOrange WordPress OAuth Single Sign-On (SSO) plugin. The flaw affects all plugin versions up to...
Key Takeaways
- A critical broken authentication vulnerability (CVE-2026-57807) has been found in the miniOrange WordPress OAuth Single Sign-On (SSO) plugin.
- The flaw affects all plugin versions up to and including 38.5.8, allowing unauthenticated attackers to fully compromise websites.
- With a CVSS score of 9.8, the vulnerability permits full site takeover, including administrator account access.
- No official patch is currently available from miniOrange, but a virtual patch has been released by Patchstack.
Critical Flaw Exposes WordPress Sites to Full Takeover
A severe security vulnerability in the widely deployed miniOrange WordPress OAuth Single Sign-On (SSO) plugin is leaving countless WordPress websites vulnerable to complete control by remote, unauthenticated attackers. This critical flaw, identified as CVE-2026-57807, carries a near-maximum CVSS score of 9.8, signaling an extreme risk.
Table Of Content
The vulnerability was publicly disclosed by Patchstack on July 9, 2026. It is categorized as a Broken Authentication flaw, aligning with the OWASP Top 10’s “Identification and Authentication Failures” (A7) category. Technically, the issue stems from CWE-288 (Authentication Bypass Using an Alternate Path or Channel), specifically exploiting an insecure password recovery mechanism within the plugin. This method bypasses crucial authentication controls, correlating with CAPEC-50: Password Recovery Exploitation.
All versions of the miniOrange OAuth Single Sign-On (SSO) plugin, up to and including 38.5.8, are susceptible. Exploitation requires no prior authentication, no existing user account, and no user interaction, making it exceptionally easy for attackers to leverage from any location on the internet.
Unauthenticated Attackers Can Seize Control
The core of the vulnerability lies in a flawed password recovery process that allows an unauthenticated remote attacker to completely circumvent standard login procedures. Once exploited, the attacker can authenticate as any user on the WordPress site, including administrative accounts. This grants them full control over the website, compromising its confidentiality, integrity, and availability.
Successful exploitation can lead to a range of severe consequences, including full website takeover, injection of malicious content, exfiltration of sensitive data, installation of backdoors, and potential lateral movement within the broader hosting environment. Patchstack has highlighted this as a high-priority vulnerability, anticipating that it will be rapidly incorporated into mass-exploitation campaigns targeting numerous websites simultaneously, regardless of their size or traffic volume.
While an official security update from miniOrange is not yet available, Patchstack has released a virtual patch to mitigate exploitation attempts until a permanent fix is issued. The vulnerability was initially reported by security researcher Kim Dvash on June 6, 2026, with the NVD formally publishing the CVE record on July 10, 2026.
What You Should Do
- Site administrators running any version of the miniOrange OAuth Single Sign-On (SSO) plugin up to and including 38.5.8 are strongly advised to immediately deactivate and remove the plugin from all internet-exposed WordPress installations.
- If immediate removal is not feasible, restrict access to WordPress login and password recovery endpoints. This can be achieved by implementing Web Application Firewall (WAF) rules or IP-based allowlisting to reduce the attack surface.
- Monitor the official WordPress plugin repository and miniOrange security advisories closely for the release of a patched version, and apply updates as soon as they become available.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.