PT-2026-58881 · WordPress · Shibboleth
Khaled Alenazi
·
Published
2026-07-15
·
Updated
2026-07-15
·
CVE-2026-12281
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Shibboleth WordPress plugin versions prior to 2.5.4
Description
An authentication bypass exists when the HTTP header identity mode is enabled without an anti-spoofing key. In this configuration, the plugin treats any request containing identity headers as an authenticated session without proper verification. If untrusted client headers reach the application, an unauthenticated attacker can log in using forged identity headers. Furthermore, if automatic account creation and default administrator role mapping are enabled, the attacker can create and sign in as a new administrator. This issue occurs when the non-default HTTP header attribute mode is active, the spoof key is empty or absent, and the deployment fails to strip untrusted client headers before they reach the application.
Recommendations
Update Shibboleth WordPress plugin to version 2.5.4 or later.
As a temporary mitigation, ensure that untrusted client headers are stripped before they reach the application or configure a valid anti-spoofing key.
Exploit
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Shibboleth