A critical authentication bypass in the miniOrange OAuth Single Sign-On (SSO) WordPress plugin lets any anonymous attacker log in as any WordPress user — including site administrators — with no credentials, no prior account, and no user interaction. The flaw was quietly published to NVD on July 10, 2026 and picked up by the security press on July 13; as of publication there is still no patch from the vendor. Until a fix ships, the safest path is to deactivate and remove the plugin.
What the Vulnerability Is
The plugin implements an alternate authentication path through a password-recovery flow that is supposed to help users recover locked accounts. The problem is that this flow does not properly enforce authentication controls: it lets an unauthenticated caller trigger and complete the recovery for any registered user, including site admins. An attacker crafts a request that abuses this recovery pathway (CWE-288 / CAPEC-50: Password Recovery Exploitation) and emerges with a valid WordPress session for whoever they targeted.
The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H captures the full picture: fully network-accessible, low complexity, no privileges needed, no victim involvement, complete compromise across confidentiality, integrity, and availability.
Researcher Kim Dvash originally reported the flaw to miniOrange on June 6, 2026. It sat unpatched. Patchstack published the CVE entry on July 9, 2026 and media coverage followed on July 13.
Why It Matters
- No patch exists — the vendor has not shipped a fix as of July 14, 2026. Every site still running the affected plugin is exposed until one arrives.
- Mass-exploitation potential — Patchstack rates this High Priority, warning that authentication-bypass flaws of this class are routinely weaponised in automated campaigns that sweep thousands of sites simultaneously regardless of traffic or size.
- Full site takeover — gaining admin access means an attacker can install plugins, create backdoor accounts, inject malicious JavaScript, exfiltrate the database, redirect visitors to malware, or enroll the site in a botnet.
- Hosting blast radius — on shared hosts, a single compromised WordPress installation can be leveraged to pivot into other sites on the same account or server.
- Historical context — this is not the plugin’s first rodeo: miniOrange OAuth SSO also carried CVE-2024-10111 (CVSS 8.1, authentication bypass) back in December 2024, which suggests the authentication logic has been a recurring weak point.
Am I Affected?
You are affected if:
- Your WordPress site has the OAuth Single Sign On – SSO (OAuth Client) plugin by miniOrange installed, and
- You are running any version up to and including 38.5.8, and
- The site is internet-accessible.
There is no safe configuration of the vulnerable version — the flaw lives in the core password recovery flow that cannot be disabled without removing the plugin.
To check your version: log into wp-admin → Plugins → find “OAuth Single Sign On – SSO (OAuth Client)” → check the Version column.
What to Do About It: Step-by-Step
Immediate action (no patch available):
-
Deactivate and delete the plugin now.
- In wp-admin → Plugins, click Deactivate next to the miniOrange OAuth SSO plugin.
- Then click Delete and confirm.
- This eliminates the attack surface entirely.
-
If you cannot remove it immediately, apply emergency hardening:
- Block access to WordPress login and password-recovery endpoints at the web server or WAF level. For NGINX, add:
location ~ ^/wp-login\.php { allow <your-office-IP>; deny all; } - For Apache:
<FilesMatch "^wp-login\.php$"> Require ip <your-office-IP> </FilesMatch> - This does not fix the underlying flaw but reduces exposure.
- Block access to WordPress login and password-recovery endpoints at the web server or WAF level. For NGINX, add:
-
If you use Patchstack (a WordPress security service), a virtual patch blocking exploit attempts has been deployed automatically. This buys time but is not a substitute for removing or patching the plugin.
-
Audit for signs of compromise. Check recent admin account creations (wp-admin → Users → filter by role Administrator), look for unfamiliar accounts created in the last ~30 days, and review your access logs for suspicious POST requests to
/wp-login.phpor password-reset flows. -
Watch the WordPress plugin repository at
https://wordpress.org/plugins/miniorange-oauth-oidc-single-sign-on/for a patched release, and apply it the moment it appears. -
Consider an SSO alternative. If the OAuth SSO functionality is important to your site, evaluate other vetted plugins (WP OAuth Server, OAuth2 Provider by Justin Greer, or your IdP’s official plugin) while waiting for a fix.
Quick-Win Checklist
- Verified the miniOrange OAuth SSO plugin is installed and checked its version
- Deactivated and deleted the plugin (recommended)
- OR applied WAF/IP-restriction rules to wp-login.php if removal is not yet possible
- Checked Users → Administrator list for suspicious newly created accounts
- Searched access logs for high-volume POST requests to wp-login.php
- Subscribed to the plugin’s update feed or set a calendar reminder to check daily for a patch
- Informed any co-admins or the site owner so they are aware
Sources
- GBHackers — Critical WordPress OAuth SSO Plugin Flaw Allows Unauthenticated Attackers to Gain Admin Access (July 13, 2026)
- Cyber Security News — Critical WordPress Plugin Vulnerability Allows Attackers to Gain Full Control Over Website (July 13, 2026)
- NVD — CVE-2026-57807 Detail (Published July 10, 2026)
- Patchstack — Vulnerability Database Entry (July 9, 2026)