Critical miniOrange WordPress SSO Flaw Could Let Attackers Take Over Websites
A critical vulnerability in the miniOrange OAuth Single Sign On plugin could allow an unauthenticated attacker to access a WordPress website as another user, including an administrator.
The flaw, tracked as CVE-2026-57807, affects OAuth Single Sign On – SSO (OAuth Client) versions through 38.5.8. Patchstack assigned it a CVSS score of 9.8 and said no official security update was available when it published the disclosure.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Website owners using the affected release line should disable the plugin or apply an available security mitigation until miniOrange provides a confirmed patched version.
Authentication bypass could lead to complete site takeover
The vulnerability involves an alternative authentication path connected to password recovery. The affected code does not enforce the checks needed to confirm that a request comes from the legitimate account owner.
According to the Patchstack vulnerability disclosure, a remote attacker does not need an existing WordPress account, elevated privileges, or interaction from a site administrator.
Successful exploitation could let the attacker perform actions that normally require a more privileged user. If the attacker impersonates an administrator, the website could face complete compromise.
| Vulnerability detail | Information |
|---|---|
| CVE identifier | CVE-2026-57807 |
| Affected product | miniOrange OAuth Single Sign On – SSO (OAuth Client) |
| Affected versions | Versions through 38.5.8 |
| Vulnerability type | Authentication bypass through an alternate path |
| Authentication required | No |
| User interaction required | No |
| CVSS score | 9.8 critical |
| Official patch status | No confirmed vendor patch at disclosure |
CVE-2026-57807 targets the password recovery process
The vulnerability falls under CWE-288, Authentication Bypass Using an Alternate Path or Channel. This weakness occurs when an application provides another route into an account without applying the protections used by its main login process.
The National Vulnerability Database entry for CVE-2026-57807 describes the issue as password recovery exploitation in the miniOrange OAuth SSO plugin.
Patchstack’s CVSS vector rates the flaw as remotely exploitable with low attack complexity. It also indicates a high potential effect on confidentiality, integrity, and availability.
- An attacker can send the request across the internet.
- The attacker does not need to authenticate first.
- No victim needs to open a link or approve a request.
- Exploitation may provide access to high-privilege accounts.
- An administrator account could give the attacker control over the website.
Administrator access can expose the entire WordPress site
A WordPress administrator can install plugins, edit themes, create users, change settings, and access sensitive information stored in the dashboard.
An attacker who reaches that level could install a malicious plugin or add PHP code to a theme. This could create a persistent backdoor that remains active even after administrators disable the vulnerable SSO plugin.
A compromised administrator account may allow attackers to:
- Create hidden administrator users.
- Steal customer and member information.
- Change posts, pages, and site settings.
- Inject malicious JavaScript or redirects.
- Install web shells and other backdoors.
- Host phishing pages or malware.
- Access API keys and database credentials.
- Use the server to attack other systems.
The exact impact depends on the hosting configuration and the privileges available to the WordPress installation.
The plugin does not run on millions of websites
The public WordPress plugin listing does not support claims that the affected product runs on millions of websites.
The WordPress.org page for OAuth Single Sign On currently reports more than 6,000 active installations. The plugin supports identity providers such as Microsoft Entra ID, Google Workspace, Okta, Keycloak, AWS Cognito, and other OAuth or OpenID Connect services.
The public free plugin and the vulnerable product also use different version formats. WordPress.org lists a 6.x release, while the CVE affects versions through 38.5.8.
| Product information | Observed detail |
|---|---|
| Public WordPress.org version | 6.x release line |
| CVE-affected version | 38.x release line through 38.5.8 |
| Public active installations | More than 6,000 |
| Likely explanation | The vulnerable release may belong to a separate commercial or enterprise edition |
Administrators should check the version shown on their own site instead of assuming that the public repository version confirms whether they face exposure.
No evidence currently confirms active exploitation
Patchstack describes the flaw as highly dangerous and expects attackers to target it. The company warns that authentication bypass vulnerabilities can support automated attacks against many websites.
However, the available vulnerability records do not confirm that attackers have already exploited CVE-2026-57807 in real-world incidents.
The NVD change history includes a CISA Stakeholder-Specific Vulnerability Categorization assessment from July 13. It marks exploitation as “none,” automation potential as “yes,” and technical impact as “total.”
This means organizations should treat exploitation as possible and potentially easy to automate, but they should not describe the vulnerability as an actively exploited zero-day without new evidence.
No official patch was available at disclosure
Patchstack published the vulnerability on July 9, 2026, after researcher Kim Dvash reported it on June 6.
The disclosure listed every affected release through version 38.5.8 and stated that no official patch was available. Patchstack issued a virtual mitigation rule for customers using its protection service.
The Patchstack advisory for the miniOrange vulnerability notes that its mitigation blocks all requests associated with the affected functionality to cover different exploitation scenarios.
That approach could disrupt legitimate authentication or password recovery activity. Administrators should test any web application firewall rule before applying it across production websites.
What WordPress administrators should do now
Administrators should first determine whether their website uses the miniOrange OAuth Single Sign On plugin and identify the exact edition and version.
A site running an affected 38.x release should not remain publicly exposed without a vendor fix or another verified mitigation. Disabling the plugin offers the clearest temporary protection when SSO downtime is acceptable.
Recommended actions include:
- Open the WordPress Plugins page and locate OAuth Single Sign On – SSO (OAuth Client).
- Record the installed version before making changes.
- Confirm whether the site uses the affected commercial or enterprise release line.
- Check miniOrange support channels for a security update.
- Disable the plugin if no patched version exists.
- Apply a tested virtual patch or web application firewall rule when deactivation is not possible.
- Restrict access to login and account recovery endpoints where operationally practical.
- Review administrator accounts and authentication logs for suspicious activity.
- Rotate privileged credentials if evidence suggests unauthorized access.
- Back up the website before updating or changing its authentication system.
Do not remove SSO without planning account access
Some organizations use the plugin as the primary login method for employees, students, customers, or members. Disabling it without preparation could prevent legitimate users from entering the dashboard or protected content.
Before deactivation, administrators should confirm that they have a working local WordPress administrator account and a secure alternative authentication method.
The official WordPress plugin description shows that the product can protect an entire site and disable the standard WordPress login in some paid configurations. Those settings can make emergency removal more complicated.
Organizations should coordinate the change with their identity team, hosting provider, and website developer to avoid an accidental lockout.
Administrators should check for earlier compromise
Applying a future update will close the authentication flaw, but it will not remove changes made by an attacker who already gained administrator access.
Security teams should inspect WordPress accounts, plugins, themes, scheduled tasks, files, and database records for unauthorized changes.
Possible warning signs include:
- Unknown administrator accounts
- Unexpected password reset messages
- Logins from unfamiliar countries or IP addresses
- New plugins that administrators did not install
- Recently modified PHP files
- Injected scripts inside themes or posts
- Changes to SSO and identity provider settings
- New API keys or application passwords
- Unusual outbound connections from the web server
- Disabled security or logging plugins
How to respond after a confirmed takeover
A full administrator compromise should trigger a broader incident response rather than a simple plugin update.
Attackers may obtain database credentials from wp-config.php, modify files outside the plugin directory, steal authentication cookies, or create access through the hosting control panel.
Organizations should take these steps after confirming unauthorized access:
- Place the website into maintenance mode or isolate it from the internet.
- Preserve web, authentication, firewall, and hosting logs.
- Remove unknown users, plugins, themes, and application passwords.
- Replace WordPress core and plugin files with trusted copies.
- Rotate WordPress, database, hosting, SFTP, SSH, and identity provider credentials.
- Change WordPress security salts to invalidate active sessions.
- Scan the database and upload directories for injected code.
- Restore from a verified clean backup when integrity cannot be confirmed.
- Notify affected users when the incident exposed personal information.
Authentication plugins require close security monitoring
Single sign-on plugins sit directly inside the login process. A vulnerability in this layer can undermine protections provided by strong passwords or an external identity provider.
Organizations should include authentication plugins in their highest-priority update and vulnerability monitoring programs.
They should also maintain local emergency administrator access, collect login logs, enforce multifactor authentication where possible, and test incident procedures before an SSO outage occurs.
CVE-2026-57807 currently presents a serious potential risk rather than a confirmed mass-exploitation campaign. Administrators using the affected 38.x release line should still act quickly because remote exploitation requires no existing account or user interaction.
FAQ
CVE-2026-57807 is a critical authentication bypass in the miniOrange OAuth Single Sign On WordPress plugin. It affects versions through 38.5.8 and may allow an unauthenticated attacker to access another user’s account.
Yes. If an attacker gains access as a WordPress administrator, they could install malicious plugins, change site content, steal data, create accounts, and place persistent backdoors on the server.
No confirmed active exploitation has been reported in the available records. Patchstack expects attackers to target the flaw, while CISA’s July 13 assessment listed exploitation as none.
The public WordPress.org listing reports more than 6,000 active installations, not millions. The vulnerable 38.x version range may relate to a separate paid or enterprise edition.
They should disable the affected plugin when possible, use a tested virtual patch or firewall mitigation, preserve alternative administrator access, and inspect the site for unauthorized accounts or code changes.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages