Cyber Posture

CVE-2026-2418

Critical
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: not affectedAppOther: affectedOth

Published: 05 March 2026

Published
05 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0011 28.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2418 is a critical-severity an unspecified weakness vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-13 (Identity Providers and Authorization Servers).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-13 Identity Providers and Authorization Servers good match
prevent

Directly manages identity providers like Salesforce to ensure only permitted users can authenticate, preventing impersonation via unvalidated email logins.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations during authentication processes, addressing the plugin's failure to validate Salesforce login permissions.

IA-2 Identification and Authentication (Organizational Users) partial match
prevent

Provides robust organizational user identification and authentication, mitigating bypass vulnerabilities in external authentication plugins.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

The vulnerability is an authentication bypass in a public-facing WordPress plugin (T1190: Exploit Public-Facing Application), enabling unauthenticated attackers to impersonate any existing user account (T1078: Valid Accounts).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Login with Salesforce WordPress plugin through 1.0.2 does not validate that users are allowed to login through Salesforce, allowing unauthenticated users to be authenticated as any user (such as admin) by simply knowing the email

Deeper analysisAI

CVE-2026-2418 is a critical authentication bypass vulnerability in the Login with Salesforce WordPress plugin through version 1.0.2. The flaw occurs because the plugin fails to validate whether users are permitted to authenticate via Salesforce, allowing attackers to impersonate any existing user account simply by providing the target's email address.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). Successful exploitation enables attackers to authenticate as any user, including administrators, potentially granting full unauthorized access to the WordPress site and compromising sensitive data or enabling further malicious actions.

The WPScan advisory provides further details on this vulnerability, available at https://wpscan.com/vulnerability/b25c6cbc-39e7-4fa0-af0b-ee7759d2c497/.

Details

CWE(s)
None listed

References