PT-2026-58881 · WordPress · Shibboleth

Khaled Alenazi

·

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-12281

CVSS v3.1

8.1

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Shibboleth WordPress plugin versions prior to 2.5.4
Description An authentication bypass exists when the HTTP header identity mode is enabled without an anti-spoofing key. In this configuration, the plugin treats any request containing identity headers as an authenticated session without proper verification. If untrusted client headers reach the application, an unauthenticated attacker can log in using forged identity headers. Furthermore, if automatic account creation and default administrator role mapping are enabled, the attacker can create and sign in as a new administrator. This issue occurs when the non-default HTTP header attribute mode is active, the spoof key is empty or absent, and the deployment fails to strip untrusted client headers before they reach the application.
Recommendations Update Shibboleth WordPress plugin to version 2.5.4 or later. As a temporary mitigation, ensure that untrusted client headers are stripped before they reach the application or configure a valid anti-spoofing key.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-12281

Affected Products

Shibboleth