Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Unauthorized Access to Microsoft 365 Accounts in WordPress Plugins
CVE-2026-2628
Summary
A security weakness in the Microsoft 365 login plugin for WordPress allows unauthorized users to log in as others, including administrators. This means that anyone can access and control Microsoft 365 accounts linked to the plugin. Update the plugin to the latest version to fix this issue.
Original title
The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.2.5. This makes it possible for unau...
Original description
The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.2.5. This makes it possible for unauthenticated attackers to bypass authentication and log in as other users, including administrators.
nvd CVSS3.1
9.8
Vulnerability type
CWE-288
Authentication Bypass Using Alternate Path
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026