CVE-2026-12281
Shibboleth · Shibboleth WordPress plugin
The Shibboleth WordPress plugin fails to properly verify identity headers, allowing unauthenticated attackers to spoof sessions and potentially gain administrative access.
Executive summary
The Shibboleth WordPress plugin is vulnerable to an improper authentication flaw that allows unauthenticated remote attackers to forge identity headers and gain full administrative control.
Vulnerability
This is an improper authentication vulnerability (CWE-287) where the plugin fails to close sessions when HTTP header identity mode is active without an anti-spoofing key. This allows an unauthenticated remote attacker to inject malicious headers and bypass authentication mechanisms entirely.
Business impact
Successful exploitation poses a critical risk to organizational security, as it grants unauthorized actors full administrative access to the WordPress environment. Given the CVSS score of 8.1, this represents a high-severity threat that could lead to complete data compromise, unauthorized modification of site content, and potential lateral movement into federated identity systems.
Remediation
Immediate Action: Update the Shibboleth WordPress plugin to version 2.5.4 or later immediately.
Proactive Monitoring: Review web server and WordPress access logs for anomalous login activity or requests containing unexpected identity headers.
Compensating Controls: Ensure that the plugin is configured with a robust anti-spoofing key and verify that network-level controls restrict access to identity headers to trusted sources only.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability presents a significant risk to the integrity and confidentiality of WordPress installations, particularly in academic or enterprise environments using federated authentication. Administrators must prioritize updating the plugin to version 2.5.4 or later to prevent unauthorized administrative access.