Critical Wordpress Plugin Vulnerability Allows Attackers to Gain Full Control Over Website
CVE-2026-57807 lands with a CVSS 9.8. The miniOrange OAuth Single Sign-On (SSO) WordPress plugin exposes every install running version 38.5.8 or below to unauthenticated remote takeover.

Patchstack disclosed the flaw on July 9, 2026; no vendor patch exists as of publication.
Vulnerability Surface
The defect maps to CWE-288 (Authentication Bypass Using an Alternate Path or Channel), OWASP Top 10 A7 (Identification and Authentication Failures), and CAPEC-50 (Password Recovery Exploitation). The plugin's password recovery flow accepts an alternate authentication path that fails to enforce login controls. An unauthenticated attacker triggering the flow can authenticate as any registered user, including administrators.
CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Network-based. No privileges. No interaction. Low complexity. Confidentiality, integrity, and availability all rated High. Patchstack flagged it High Priority and expects mass-exploit campaigns.
Diagnosis & Containment
Reported by researcher Kim Dvash on June 6, 2026; NVD entry published July 10, 2026. Versions ≤ 38.5.8 are vulnerable. miniOrange has not released an official fix. Patchstack has shipped a virtual patch (WAF rule) as a temporary mitigation.
For any site with miniOrange OAuth SSO ≤ 38.5.8 reachable from the public internet:
1. Deactivate and uninstall the plugin. Removal is the only guaranteed state.
2. If removal breaks SSO-dependent workflows, restrict access to /wp-login.php and the password recovery endpoint via WAF rules or IP allowlists.
3. Activate Patchstack's virtual patch where available on the host.
4. Audit artifacts: wp_users for unauthorized admin rows, wp_options (active_plugins, cron) for unknown entries, /wp-content/uploads/ for dropped PHP files, scheduled actions for unfamiliar cron events.
5. Rotate all WordPress admin credentials and any secrets in wp-config.php (DB password, AUTH_KEY, SALTs).
6. Review web server access logs for POST requests against password reset and login endpoints from unrecognized IP ranges during the exposure window.
Pattern, Not Anomaly
miniOrange OAuth SSO carries a prior CVE-2024-10111 (CVSS 8.1), disclosed December 2024, in the same authentication-bypass family. OAuth integration plugins occupy a privileged position in the WordPress auth stack: a bypass at this layer collapses downstream access control. Treat the category as high-risk by default and review disclosure history before deployment.
A separate unauthenticated time-based blind SQL injection (CVE-2026-4661) was disclosed in the WP CTA plugin around the same window. Sites running WP CTA should confirm version status and remove the plugin if the vendor has not shipped a fix.
Baseline Checklist
- miniOrange OAuth SSO version confirmed ≤ 38.5.8 → plugin removed or quarantined.
- WAF rule active on password recovery and
/wp-login.phpPOST traffic. - Admin account count matches the expected roster; no unknown
wp_capabilitiescontainingadministrator. - No unexpected PHP files under
/wp-content/uploads/. - WP-Cron contains no unfamiliar scheduled events.
wp-config.phpintegrity verified; salts and DB credentials rotated.- Logging enabled on authentication and password reset endpoints.