Critical Vulnerability in miniOrange WordPress OAuth SSO Plugin Exposes Millions of Sites to Takeover
A critical authentication bypass vulnerability (CVE-2026-57807) in the miniOrange WordPress OAuth SSO plugin allows unauthenticated attackers to gain full control of websites.

A critical security vulnerability has been discovered in the widely used WordPress OAuth Single Sign–On (SSO) plugin developed by miniOrange, potentially exposing millions of WordPress websites to complete takeover by unauthenticated remote attackers. The flaw, tracked as CVE-2026-57807, carries a CVSS score of 9.8 and was disclosed by Patchstack on July 9, 2026.
The vulnerability is classified as a Broken Authentication issue, falling under the OWASP Top 10 category A7: Identification and Authentication Failures. Technically, it is rooted in CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and exploits the plugin's password recovery mechanism by failing to enforce proper authentication controls through an alternate pathway. This specific exploit technique maps to CAPEC-50: Password Recovery Exploitation.
All versions of the miniOrange OAuth SSO plugin up to and including version 38.5.8 are affected by this critical flaw. The attack vector is particularly concerning as it requires no authentication, no prior account access, and no user interaction, presenting a low attack complexity that makes it trivially exploitable from anywhere on the internet.
An unauthenticated remote attacker can abuse the plugin's flawed password recovery flow to bypass login controls entirely. Once access is gained, the attacker can authenticate as any user on the site, including administrators. This leads to a complete compromise of the website's confidentiality, integrity, and availability.
Successful exploitation can result in a full site takeover, enabling attackers to inject malicious content, exfiltrate sensitive data, install backdoors, and potentially move laterally within the hosting environment. Patchstack has flagged this as a high-priority vulnerability, anticipating its use in mass-exploit campaigns targeting a wide range of websites.
As of the disclosure, no official patch has been released by miniOrange. However, Patchstack has provided a virtual patch to block exploitation attempts until a permanent fix is issued. Site administrators are strongly advised to immediately deactivate and remove the vulnerable plugin from all internet-exposed WordPress installations until an official security update is available.
For those unable to remove the plugin immediately, administrators should implement access restrictions to WordPress login and password recovery endpoints. This can be achieved using Web Application Firewall (WAF) rules or IP-based allowlisting to significantly reduce the attack surface. Security researcher Kim Dvash originally reported the vulnerability on June 6, 2026, and the NVD formally published the CVE record on July 10, 2026.
Users are urged to monitor the official WordPress plugin repository and miniOrange's security advisories for the release of a patched version and to apply updates promptly once they become available to mitigate this critical risk.