PatchSiren cyber security CVE debrief
CVE-2026-15013 cyberlord92 CVE debrief
The SAML Single Sign On – SSO Login plugin for WordPress is vulnerable to Authentication Bypass via SAML Signature Algorithm Confusion. The plugin incorrectly handles the `SignatureMethod` Algorithm attribute from the `SAMLResponse` parameter, allowing attackers to forge a SAML assertion and gain administrator-level account takeover. This critical vulnerability affects administrators and users of WordPress sites using the SAML Single Sign On – SSO Login plugin, particularly those with administrator-level accounts. Immediate action is required to protect these sites from potential exploitation.
- Vendor
- cyberlord92
- Product
- SAML Single Sign On – SSO Login
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Administrators and users of WordPress sites using the SAML Single Sign On – SSO Login plugin, especially those with administrator-level accounts, should be aware of this critical vulnerability and take immediate action to protect their sites.
Technical summary
The SAML Single Sign On – SSO Login plugin for WordPress is vulnerable to Authentication Bypass via SAML Signature Algorithm Confusion in all versions up to, and including, 5.4.3. The vulnerability exists because `Mo_SAML_Utilities::mo_saml_cast_key()` reads the `SignatureMethod` Algorithm attribute directly from the attacker-controlled `SAMLResponse` parameter rather than enforcing the locally configured algorithm, causing the plugin to recast the IdP's RSA public key as an HMAC-SHA1 shared secret and validate the forged signature against it. This makes it possible for unauthenticated attackers to forge a SAML assertion targeting any WordPress account — including administrators — obtain valid WordPress authentication cookies, and achieve full administrator-level account takeover.
Defensive priority
High
Recommended defensive actions
- Immediately update the SAML Single Sign On – SSO Login plugin to a version that fixes this vulnerability.
- Implement additional monitoring to detect potential exploitation attempts.
- Restrict access to sensitive areas of the WordPress site to trusted users only.
- Consider implementing a web application firewall (WAF) to help detect and prevent attacks.
- Regularly review and update all plugins and themes on the WordPress site to ensure they are up-to-date and patched.
Evidence notes
The CVE record was published on 2026-07-16T05:16:18.043Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence is limited to public sources and may not reflect the full scope of affected systems or potential impacts. Defenders should verify the vulnerability's presence in their environments and review the official advisory for specific guidance on mitigation and remediation.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T05:16:18.043Z and has not been modified since then.