CVE-2026-2418 - Vulnerability Details

- Login with Salesforce <= 1.0.2 - Unauthenticated Authentication Bypass

Description

The Login with Salesforce WordPress plugin through 1.0.2 does not validate that users are allowed to login through Salesforce, allowing unauthenticated users to be authenticated as any user (such as admin) by simply knowing the email

Published: 2026-03-05

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Login with Salesforce plugin for WordPress up to version 1.0.2 fails to validate that a user is permitted to authenticate via Salesforce. This omission allows an unauthenticated attacker to assume the identity of any site user, including administrators, by simply supplying a valid email address. The vulnerability directly undermines account confidentiality and can be leveraged for full site compromise.

Affected Systems

WordPress sites that have installed the Login with Salesforce plugin version 1.0.2 or earlier are affected. The plugin, identified only as Login with Salesforce, is widely used to provide single sign‑on via Salesforce. No alternate product versions are listed, so any installation of the plugin at or below 1.0.2 must be considered vulnerable.

Risk and Exploitability

The issue carries a CVSS score of 9.1, denoting critical impact. The EPSS score is below 1 %, indicating a low probability of exploitation, yet the lack of authentication checks makes the attack surface very simple. Based on the description, it is inferred that the likely attack vector is a remote request to the plugin’s authentication endpoint, where an attacker supplies a legitimate email address. The vulnerability is not currently in the CISA KEV catalog, but the potential for immediate privilege escalation warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Unknown

unknown

Version	Status	Constraints
`0`	affected	≤ 1.0.2

No data.

Vendor Product Confidence Versions

75%

Version	Status	Scheme	Platform
`[0,1.0.2]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Login with Salesforce plugin to the latest version that includes the authentication validation fix addressing improper authentication (CWE‑287).
If a patched version is not yet available, deactivate or uninstall the plugin to eliminate the bypass route; meanwhile, enforce multi‑factor authentication and ensure only active Salesforce accounts can log in.
Enable comprehensive logging of authentication attempts, monitor for anomalous activity, and apply rate limiting to mitigate unauthorized login attempts linked to improper authentication.

Generated by OpenCVE AI on April 16, 2026 at 12:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00103.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://wpscan.com/vulnerability/b25c6cbc-39e7-4fa0-af0b-ee7759d2c497/

History

Thu, 16 Apr 2026 13:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-287

Fri, 06 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Login With Salesforce Login With Salesforce login With Salesforce Wordpress Wordpress wordpress
Vendors & Products		Login With Salesforce Login With Salesforce login With Salesforce Wordpress Wordpress wordpress

Fri, 06 Mar 2026 11:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 05 Mar 2026 06:15:00 +0000

Type	Values Removed	Values Added
Description		The Login with Salesforce WordPress plugin through 1.0.2 does not validate that users are allowed to login through Salesforce, allowing unauthenticated users to be authenticated as any user (such as admin) by simply knowing the email
Title		Login with Salesforce <= 1.0.2 - Unauthenticated Authentication Bypass
References		https://wpscan.com/vulnerability/b25c6cbc-39e7-4fa0-af0b-ee7759d2c497/

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2026-03-05T06:00:03.313Z

Updated: 2026-04-02T12:39:57.832Z

Reserved: 2026-02-12T18:55:02.208Z

Link: CVE-2026-2418

Vulnrichment

Updated: 2026-03-06T10:23:09.130Z

NVD

Status : Deferred

Published: 2026-03-05T06:16:51.883

Modified: 2026-04-15T14:42:29.303

Link: CVE-2026-2418

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T12:45:35Z

Weaknesses

CWE-287

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object