PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15013 cyberlord92 CVE debrief

The SAML Single Sign On – SSO Login plugin for WordPress is vulnerable to Authentication Bypass via SAML Signature Algorithm Confusion. The plugin incorrectly handles the `SignatureMethod` Algorithm attribute from the `SAMLResponse` parameter, allowing attackers to forge a SAML assertion and gain administrator-level account takeover. This critical vulnerability affects administrators and users of WordPress sites using the SAML Single Sign On – SSO Login plugin, particularly those with administrator-level accounts. Immediate action is required to protect these sites from potential exploitation.

Vendor
cyberlord92
Product
SAML Single Sign On – SSO Login
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Administrators and users of WordPress sites using the SAML Single Sign On – SSO Login plugin, especially those with administrator-level accounts, should be aware of this critical vulnerability and take immediate action to protect their sites.

Technical summary

The SAML Single Sign On – SSO Login plugin for WordPress is vulnerable to Authentication Bypass via SAML Signature Algorithm Confusion in all versions up to, and including, 5.4.3. The vulnerability exists because `Mo_SAML_Utilities::mo_saml_cast_key()` reads the `SignatureMethod` Algorithm attribute directly from the attacker-controlled `SAMLResponse` parameter rather than enforcing the locally configured algorithm, causing the plugin to recast the IdP's RSA public key as an HMAC-SHA1 shared secret and validate the forged signature against it. This makes it possible for unauthenticated attackers to forge a SAML assertion targeting any WordPress account — including administrators — obtain valid WordPress authentication cookies, and achieve full administrator-level account takeover.

Defensive priority

High

Recommended defensive actions

  • Immediately update the SAML Single Sign On – SSO Login plugin to a version that fixes this vulnerability.
  • Implement additional monitoring to detect potential exploitation attempts.
  • Restrict access to sensitive areas of the WordPress site to trusted users only.
  • Consider implementing a web application firewall (WAF) to help detect and prevent attacks.
  • Regularly review and update all plugins and themes on the WordPress site to ensure they are up-to-date and patched.

Evidence notes

The CVE record was published on 2026-07-16T05:16:18.043Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence is limited to public sources and may not reflect the full scope of affected systems or potential impacts. Defenders should verify the vulnerability's presence in their environments and review the official advisory for specific guidance on mitigation and remediation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T05:16:18.043Z and has not been modified since then.