An unauthenticated authentication bypass vulnerability in the miniOrange Microsoft 365 SSO plugin for WordPress allows remote attackers to gain full administrative control over affected websites.

This vulnerability constitutes a critical authentication bypass. It allows unauthenticated remote attackers to spoof identities and log in as any existing user, including site administrators, without requiring a password or valid SSO token.

A successful exploit grants the attacker total control over the WordPress environment, leading to complete data exfiltration, site defacement, or the installation of persistent backdoors. Given the CVSS score of 9.8, this represents a critical risk to confidentiality, integrity, and availability, potentially resulting in significant reputational damage and loss of sensitive customer data.

Immediate Action: Update the All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin to the latest version (at least 2.2.6) immediately to close the authentication gap.

Proactive Monitoring: Review WordPress audit logs for unexpected administrative logins or the creation of new, unauthorized administrator accounts originating from unknown IP addresses.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules designed to block unauthorized access to wp-login.php and monitor for suspicious SSO callback patterns.

Public Exploit Available: No

This vulnerability is critical and should be treated as a top priority for remediation. Organizations using this plugin for SSO must apply the vendor-provided update immediately to prevent unauthorized administrative access and potential site takeover.