CyberSecurityNews

Critical WordPress Plugin Vulnerability Allow Attackers to Gain Full Control Over Website


A critical security vulnerability has been discovered in the widely used WordPress OAuth Single Sign–On (SSO (OAuth Client) plugin developed by miniOrange, exposing millions of WordPress websites to complete takeover by unauthenticated remote attackers.

The flaw, tracked as CVE-2026-57807, carries a near-maximum CVSS score of 9.8 and was disclosed by Patchstack on July 9, 2026.

The vulnerability is classified as a Broken Authentication flaw under OWASP Top 10 category A7: Identification and Authentication Failures.

Technically, the vulnerability is rooted in CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and exploits the plugin’s password recovery mechanism.

Specifically, it exploits an alternative authentication pathway that fails to enforce authentication controls. This maps to CAPEC-50: Password Recovery Exploitation.

All versions of the plugin up to and including 38.5.8 are affected. The attack requires no authentication, no prior account access, and no user interaction, making it trivially exploitable from anywhere on the internet with low attack complexity.

WordPress Plugin Vulnerability

An unauthenticated remote attacker can abuse the plugin’s flawed password recovery flow to bypass login controls entirely.

Once the attacker has exploited the site, they can authenticate as any WordPress user on the site, including administrators, resulting in a full compromise of confidentiality, integrity, and availability.

Successful exploitation can lead to complete site takeover, malicious content injection, data exfiltration, backdoor installation, and further lateral movement within the hosting environment.

Patchstack has classified this as a high-priority vulnerability that is expected to be used in mass-exploit campaigns targeting thousands of websites simultaneously, regardless of site size or traffic levels.

No official patch is available from miniOrange, but Patchstack has released a virtual patch to block exploitation attempts until a fix is issued.

Site administrators running any version up to 38.5.8 are strongly advised to immediately deactivate and remove the plugin from all internet-exposed WordPress installations until an official security update is released.

Where immediate removal is not feasible, administrators should restrict access to WordPress login and password recovery endpoints using Web Application Firewall (WAF) rules or IP-based allowlisting to reduce the attack surface.

Security researcher Kim Dvash originally reported the vulnerability on June 6, 2026. The NVD formally published the CVE record on July 10, 2026.

Users are encouraged to monitor the official WordPress plugin repository and miniOrange security advisories closely for a patched release, and to apply updates as soon as they become available.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.



Source link