A 9.8-Severity Flaw, and No Patch Yet
On July 9, 2026, security researchers at Patchstack disclosed a critical vulnerability in the WordPress OAuth Single Sign-On (SSO) plugin by miniOrange — the plugin behind many "Login with Google" and "Login with Microsoft" buttons on WordPress sites.
The flaw, tracked as CVE-2026-57807, scores 9.8 out of 10 on the CVSS severity scale. All versions up to and including 38.5.8 are affected.
What the Vulnerability Allows
The bug lives in the plugin's password recovery mechanism. It opens an alternative authentication pathway that fails to check who is actually asking — which means a remote attacker, with no account, no password and no user interaction, can authenticate as any user on the site. Including the administrator.
Once inside, an attacker can:
- Take complete control of the website
- Inject malicious content or spam
- Steal customer and business data
- Install backdoors that survive cleanups
- Move laterally to other sites on the same hosting account
The Worst Part: No Official Fix Yet
At the time of disclosure, miniOrange had not released an official patch. Patchstack published a virtual patch (a firewall rule that blocks exploitation attempts), but sites without that protection remain exposed.
Vulnerabilities like this one are typically weaponized within days of disclosure, in automated campaigns that scan thousands of sites per hour. Being small is not protection — bots don't check how big your business is.
What You Should Do Now
- Check if you use the plugin (Plugins > Installed Plugins > look for miniOrange OAuth / SSO).
- Deactivate and remove it until an official fix ships, if you can operate without SSO login.
- If you can't remove it, restrict the login and recovery endpoints with firewall rules or IP allowlisting.
- Scan for signs of compromise: unknown admin users, modified files, unexpected scheduled tasks.
- Watch the plugin's page for an official update and apply it the moment it's out.
If any of that sounds like something you'd rather not deal with — that's literally what a maintenance plan is for. We monitor vulnerability disclosures like this one every day for the sites we protect, and act before the bots do.
