WordPress Plugin Vulnerabilities

Login with Salesforce <= 1.0.2 - Unauthenticated Authentication Bypass

Description

The plugin does not validate that users are allowed to login through Salesforce, allowing unauthenticated users to be authenticated as any user (such as admin) by simply knowing the email

Proof of Concept

Affects Plugins

Plugin icon
login-with-salesforce
No known fix

References

CVE
CVE-2026-2418

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Khaled Alenazi (Nxploited)
Submitter
Khaled Alenazi (Nxploited)
Submitter website
https://github.com/Nxploited
Submitter twitter
Nxploited
Verified
Yes
WPVDB ID
b25c6cbc-39e7-4fa0-af0b-ee7759d2c497

Timeline

Publicly Published
2026-02-12 (about 21 days ago)
Added
2026-02-12 (about 20 days ago)
Last Updated
2026-02-12 (about 20 days ago)

Other

Published
Title
Published
2019-10-14
Title
Popup-Maker < 1.8.13 - Multiple Vulnerabilities
Published
2025-05-08
Title
PSW Front-end Login & Registration <= 1.12 - Authentication Bypass
Published
2018-05-16
Title
Charitable <= 1.5.13 - Unauthorised Access
Published
2024-09-24
Title
LatePoint < 5.0.13 - Authentication Bypass
Published
2025-10-30
Title
Jobmonster < 4.8.2 - Authentication Bypass