
Attention WordPress Users! Critical Vulnerability Allows Attackers to Gain Full Control Over Your Website!
A new critical vulnerability discovered in the miniOrange OAuth Single Sign-On (SSO OAuth Client) plugin for the WordPress platform poses a serious threat to the security of millions of websites. This vulnerability, registered under identifier CVE-2026-57807, has been rated 9.8 on the CVSS 3.1 scale and is recognized as one of the most dangerous vulnerabilities allowing remote attacks without authentication.
The vulnerability was publicly disclosed by Patchstack researchers on July 9, 2026. This issue falls under the “Identification and Authentication Failures” category in the OWASP Top 10 list and is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel).
The Nature of the Vulnerability
Investigations have shown that the vulnerability arises from insufficient authentication checks in the plugin’s Password Recovery mechanism.
As a result, an attacker can gain access to the system without possessing any user credentials, without prior registration, and without any user interaction.
If successfully exploited, an attacker can:
- log in as any existing WordPress user, including an administrator;
- gain administrator privileges;
- obtain full access to all site data;
- deploy malicious code or a web shell;
- steal user data;
- modify website content or inject malicious pages;
- carry out malicious activities on the hosting server and attack other systems.
Such an attack can completely compromise the confidentiality, integrity, and availability of information (the CIA triad).
Affected Versions
The vulnerability affects all versions of the miniOrange OAuth Single Sign-On (SSO OAuth Client) plugin up to and including 38.5.8.
The most concerning aspect is that this attack:
- requires no authentication;
- does not require a user account;
- requires no user interaction;
- can be exploited remotely over the Internet;
- has a very low complexity level.
Therefore, this vulnerability is highly suitable for automated mass attacks.
Risk of Mass Exploitation
Patchstack researchers have assessed this vulnerability as a high-priority threat and warn that campaigns of mass exploitation targeting thousands of WordPress sites on the Internet may begin in the coming days.
Cybercriminals typically use automated scanning tools to identify vulnerable WordPress sites and attack thousands of resources simultaneously. Such attacks pose an equal threat to large organizations, small businesses, educational institutions, government agencies, and personal websites.
No Official Patch Currently Available
At the time of writing, the miniOrange developers have not released an official security update addressing this vulnerability.
However, Patchstack has provided a Virtual Patch mechanism for temporary protection, allowing organizations using it to block exploitation attempts.
Recommendations for Administrators
To mitigate this risk, it is recommended to take the following measures immediately:
- if the plugin is not essential, disable it immediately;
- stop using the plugin until an official security update is released;
- restrict access to the WordPress admin panel, login pages, and password recovery pages using a Web Application Firewall (WAF);
- where possible, allow access to admin pages only from trusted IP addresses (IP Allowlisting);
- enable multi-factor authentication (MFA) for administrator accounts;
- regularly monitor WordPress audit logs and check for unknown administrator accounts or suspicious login attempts;
- continuously update all WordPress plugins, themes, and core;
- regularly create backups and store them in a separate secure environment.
Conclusion
Since WordPress is one of the most popular content management systems in the world, any critical vulnerability in it can impact millions of web resources. The CVE-2026-57807 vulnerability is one of the most dangerous, as a serious flaw in the authentication mechanism allows attackers to gain administrator privileges.
Until an official security update is released, organizations and administrators using this plugin are advised to temporarily disable it or implement additional protective measures to limit exploitation. Furthermore, regularly updating all components of the WordPress ecosystem, implementing security monitoring, and using modern protective tools will significantly help reduce cyber risks.



