Critical Authentication Bypass Vulnerabilities Exposed in Popular WordPress Plugins

Cyber defenders warn of critical 9.8-severity authentication bypass flaws in popular miniOrange WordPress plugins, risking total site takeovers.
Image Credit / Cyber Security News

Security experts warn of critical flaws in miniOrange plugins that allow attackers to bypass login screens and seize WordPress admin controls.

Cybersecurity teams are sounding an urgent alarm for website administrators after a series of critical authentication bypass vulnerabilities were discovered in popular security plugins developed by miniOrange. Researchers have uncovered a massive security loophole tracked under the identifier CVE-2026-57807, which carries a near-perfect Common Vulnerability Scoring System (CVSS) severity score of 9.8 out of 10. The vulnerability resides specifically within the “miniOrange OAuth Single Sign On, SSO” (OAuth Client) plugin for WordPress, a widely deployed tool designed to help administrators integrate secure, centralized logins across their web networks. The security alert, widely disseminated during the second week of July 2026, marks a deeply ironic moment for the web ecosystem, as software explicitly trusted to restrict user access has instead introduced a direct gateway for remote attackers to seize total administrative control.

The “why” behind this security crisis points to a fundamental flaw in how the plugin handles alternative entryways to a website, categorized technically as CWE-288 (Authentication Bypass Using an Alternate Path or Channel). In a detailed threat advisory,  experts revealed that the plugin’s built-in password recovery mechanism lacks proper, multi-layered verification checks. An unauthenticated remote attacker with zero prior site access or privileges can abuse this alternate channel to bypass standard login forms entirely. Because the exploit can be launched remotely over the internet and requires absolutely no user interaction or complex social engineering, malicious actors can systematically target exposed WordPress sites, generate illegitimate administrator logins, modify backend code, exfiltrate sensitive customer databases, or inject malicious redirection scripts.

Worse yet, this is not an isolated incident for the developer’s ecosystem; it follows on the heels of another critical 9.8-rated flaw discovered just days earlier in a sister product. According to a security bulletin,  researchers identified CVE-2026-14245, a separate but equally dangerous authentication bypass in the “miniOrange OTP Login, Verification and SMS Notifications” plugin. In that particular case, the plugin failed to execute server-side verification during one-time password (OTP) resets, relying instead on a publicly visible JavaScript token. As a result, an attacker could easily trick the system into spitting out a valid administrator password-reset link in a temporary redirect header. Security monitoring networks, including the National Vulnerability Database, have quickly categorized both exploits as maximum-priority threats due to how easily they can be automated by cybercriminals scanning the web for low-hanging fruit.

See Also: CISA Admits It Built Incident Playbook Mid-Crisis

Because a direct, official vendor patch for the OAuth SSO vulnerability (CVE-2026-57807) has not been widely finalized as of mid-July 2026, cybersecurity agencies are urging immediate action to safeguard affected web servers. For those utilizing the OTP Login plugin, upgrading immediately to version 5.5.2 or higher is required to close the loop. However, for active installations of the OAuth Single Sign-On plugin running versions up to and including 38.5.8, administrators are strongly advised to temporarily deactivate and delete the plugin entirely. If deactivation would break core business operations, security teams recommend deploying custom Web Application Firewall (WAF) rules to block external access to all login and password-recovery endpoints, keeping the digital front door locked until miniOrange rolls out a robust fix.

About the Author

Jennifer Sakmufuwo Baba

Jennifer Sakmufuwo Baba is a tech analyst and writer covering artificial intelligence, fintech, and emerging technologies at TechRegard. Based in Nigeria, she's passionate about translating complex tech developments into compelling, accessible stories for diverse audiences. Her work focuses on how technology shapes innovation across Africa and globally.