Description
Authentication Bypass by Spoofing vulnerability in Saad Iqbal All In One Login change-wp-admin-login allows Identity Spoofing.This issue affects All In One Login: from n/a through <= 2.0.8.
Published: 2025-11-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability affecting the Saad Iqbal All In One Login plugin allows attackers to spoof identities during authentication, resulting in unauthorized access to the WordPress administration area without requiring a valid password. This flaw is a classic example of identity spoofing, classified as CWE-290.

Affected Systems

WordPress sites using the Saad Iqbal All In One Login plugin version 2.0.8 or earlier are affected. All releases from the plugin’s initial version up to and including 2.0.8 are impacted.

Risk and Exploitability

The CVSS v3.1 score of 5.3 indicates moderate severity. The EPSS score is less than 1%, suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector involves remote submission of forged authentication requests to the plugin’s login endpoint, which could grant administrative access, though the advisory does not provide specific exploitation details.

Generated by OpenCVE AI on April 30, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the All In One Login plugin to version 2.0.9 or later.
  • If an update is not possible, temporarily disable or remove the plugin to eliminate the attack surface.
  • Add multi‑factor authentication to the WordPress admin area as a supplemental control until the patch is applied.

Generated by OpenCVE AI on April 30, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Mon, 10 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Saad Iqbal
Saad Iqbal all In One Login
Wordpress
Wordpress wordpress
Vendors & Products Saad Iqbal
Saad Iqbal all In One Login
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Authentication Bypass by Spoofing vulnerability in Saad Iqbal All In One Login change-wp-admin-login allows Identity Spoofing.This issue affects All In One Login: from n/a through <= 2.0.8.
Title WordPress All In One Login plugin <= 2.0.8 - Bypass Vulnerability vulnerability
Weaknesses CWE-290
References

Subscriptions

Saad Iqbal All In One Login
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:55.859Z

Reserved: 2025-09-03T09:02:27.116Z

Link: CVE-2025-58595

cve-icon Vulnrichment

Updated: 2025-11-10T18:39:50.514Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:15:59.233

Modified: 2026-04-29T10:16:51.083

Link: CVE-2025-58595

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T14:45:24Z

Weaknesses