← Back to News  ·  July 16, 2026

Millions of WordPress Sites Exposed: SSO Plugin Lets Attackers Log In as Admin Without a Password

A 9.8-Severity Flaw, and No Patch Yet

On July 9, 2026, security researchers at Patchstack disclosed a critical vulnerability in the WordPress OAuth Single Sign-On (SSO) plugin by miniOrange — the plugin behind many "Login with Google" and "Login with Microsoft" buttons on WordPress sites.

The flaw, tracked as CVE-2026-57807, scores 9.8 out of 10 on the CVSS severity scale. All versions up to and including 38.5.8 are affected.

What the Vulnerability Allows

The bug lives in the plugin's password recovery mechanism. It opens an alternative authentication pathway that fails to check who is actually asking — which means a remote attacker, with no account, no password and no user interaction, can authenticate as any user on the site. Including the administrator.

Once inside, an attacker can:

  • Take complete control of the website
  • Inject malicious content or spam
  • Steal customer and business data
  • Install backdoors that survive cleanups
  • Move laterally to other sites on the same hosting account

The Worst Part: No Official Fix Yet

At the time of disclosure, miniOrange had not released an official patch. Patchstack published a virtual patch (a firewall rule that blocks exploitation attempts), but sites without that protection remain exposed.

Vulnerabilities like this one are typically weaponized within days of disclosure, in automated campaigns that scan thousands of sites per hour. Being small is not protection — bots don't check how big your business is.

What You Should Do Now

  1. Check if you use the plugin (Plugins > Installed Plugins > look for miniOrange OAuth / SSO).
  2. Deactivate and remove it until an official fix ships, if you can operate without SSO login.
  3. If you can't remove it, restrict the login and recovery endpoints with firewall rules or IP allowlisting.
  4. Scan for signs of compromise: unknown admin users, modified files, unexpected scheduled tasks.
  5. Watch the plugin's page for an official update and apply it the moment it's out.

If any of that sounds like something you'd rather not deal with — that's literally what a maintenance plan is for. We monitor vulnerability disclosures like this one every day for the sites we protect, and act before the bots do.

Originally reported by Patchstack

Frequently Asked Questions

How do I know if my WordPress site uses the miniOrange OAuth SSO plugin?

Log in to your WordPress admin and go to Plugins > Installed Plugins. Look for 'OAuth Single Sign On' or 'WordPress OAuth SSO' by miniOrange. If you use a 'Login with Google/Microsoft/other provider' button on your site, there is a good chance an SSO plugin like this one is behind it. If you are not sure, ask whoever maintains your site to check — this specific plugin is affected in all versions up to and including 38.5.8.

There is no official patch. What should I do in the meantime?

The safest option is to deactivate and remove the plugin until miniOrange releases a fixed version. If your business depends on SSO login and you cannot remove it, restrict access to the login and password recovery endpoints with firewall rules or IP allowlisting, and monitor the plugin page closely for an update. A managed firewall with virtual patching (like the one Patchstack released for this flaw) can also block exploitation attempts.

How would I know if my site was already compromised through this vulnerability?

Check for administrator accounts you don't recognize, recently modified core or plugin files, unexpected scheduled tasks, and traffic to unknown domains. Because this flaw allows attackers to authenticate as any user without triggering failed-login alerts, a professional malware scan is the most reliable way to know for sure.

Why are authentication bypass vulnerabilities so dangerous?

Most WordPress attacks need to guess a password or trick a user. An authentication bypass skips all of that: the attacker simply walks in as an administrator. From there they can install backdoors, steal customer data, inject spam or ransomware, and pivot to other sites on the same hosting account. That's why this flaw scored 9.8 out of 10 and is expected to be mass-exploited.

Keeping a website secure requires constant monitoring, updates and vulnerability management.

See our protection plans →

Let's talk!

We would like to help you.

+1 (857) 365-6734

Dobke