CVE-2026-2628 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 3, 2026
All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login - Authentication Bypass
Overview
All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login WordPress plugin <= 2.2.5 contains an authentication bypass caused by improper authentication checks, letting unauthenticated attackers log in as other users including administrators, exploit requires no special privileges.
Severity & Score
Impact
Unauthenticated attackers can log in as any user, including administrators, leading to full system compromise.
Mitigation
Update to the latest version beyond 2.2.5.
References
Social Media Activity(2 posts)
š“ CVE-2026-2628 - Critical (9.8) The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.2.5. This makes it possible for unauthenticated attackers to bypass authentication and... š https://www.thehackerwire.com/vulnerability/CVE-2026-2628/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
ā ļø CVE-2026-2628: CRITICAL auth bypass in All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin (ā¤2.2.5). Attackers can access WP admin accounts with no credentials. Disable plugin or restrict logins until patched! https://radar.offseq.com/threat/cve-2026-2628-cwe-288-authentication-bypass-using--3ce6682b #OffSeq #WordPress #AzureAD
View original postGitHub Repositories(1 repo)
Related Resources
Details
- CVE ID
- CVE-2026-2628
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- broken_authentication
- Status
- unconfirmed
- EPSS
- 24.8%
- Social Posts
- 2
CWE
- CWE-288
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H