CVE-2026-12281

Shibboleth · Shibboleth WordPress plugin

The Shibboleth WordPress plugin fails to properly verify identity headers, allowing unauthenticated attackers to spoof sessions and potentially gain administrative access.

Executive summary

The Shibboleth WordPress plugin is vulnerable to an improper authentication flaw that allows unauthenticated remote attackers to forge identity headers and gain full administrative control.

Vulnerability

This is an improper authentication vulnerability (CWE-287) where the plugin fails to close sessions when HTTP header identity mode is active without an anti-spoofing key. This allows an unauthenticated remote attacker to inject malicious headers and bypass authentication mechanisms entirely.

Business impact

Successful exploitation poses a critical risk to organizational security, as it grants unauthorized actors full administrative access to the WordPress environment. Given the CVSS score of 8.1, this represents a high-severity threat that could lead to complete data compromise, unauthorized modification of site content, and potential lateral movement into federated identity systems.

Remediation

Immediate Action: Update the Shibboleth WordPress plugin to version 2.5.4 or later immediately.

Proactive Monitoring: Review web server and WordPress access logs for anomalous login activity or requests containing unexpected identity headers.

Compensating Controls: Ensure that the plugin is configured with a robust anti-spoofing key and verify that network-level controls restrict access to identity headers to trusted sources only.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This vulnerability presents a significant risk to the integrity and confidentiality of WordPress installations, particularly in academic or enterprise environments using federated authentication. Administrators must prioritize updating the plugin to version 2.5.4 or later to prevent unauthorized administrative access.