
PEACH
Uma estrutura de isolamento de inquilino
CVE-2026-12281 is an authentication bypass vulnerability in the Shibboleth WordPress plugin before version 2.5.4, enabling unauthenticated attackers to forge HTTP identity headers and gain administrator access. The flaw was publicly disclosed on June 24, 2026, and added to the GitHub Advisory Database on July 15, 2026. It affects all Shibboleth plugin versions prior to 2.5.4 and was discovered and reported by researcher Khaled Alenazi (Nxploited). It carries a CVSS score of 8.1 (High) per WPScan, and is classified under CWE-287 (Improper Authentication) (WPScan, GitHub Advisory).
The root cause is a failure-open design flaw (CWE-287) in the plugin's HTTP header identity mode: when no anti-spoofing key is configured, the plugin unconditionally trusts any HTTP request that includes identity headers, treating it as an authenticated session without verification. An attacker on a network path where untrusted client-supplied headers are not stripped before reaching the WordPress application can craft HTTP requests with arbitrary identity headers to impersonate any user. Exploitation requires four non-default conditions to be simultaneously present: HTTP header attribute mode enabled, an empty or absent spoof key, automatic account creation enabled, and a deployment that does not sanitize or strip untrusted client headers at the network perimeter. A proof-of-concept is scheduled for public release on July 28, 2026, per WPScan's coordinated disclosure timeline (WPScan).
Successful exploitation allows an unauthenticated remote attacker to authenticate as any existing user or, when automatic account creation and default administrator role mapping are enabled, to create and immediately sign in as a new WordPress administrator. Full administrative access to the WordPress instance enables an attacker to install malicious plugins, modify site content, exfiltrate stored data (including user credentials and personal information), and potentially pivot to the underlying server infrastructure. The impact is categorized as an authentication bypass (OWASP A2: Broken Authentication and Session Management), with the highest risk in deployments where the attacker can control HTTP headers reaching the application (WPScan, GitHub Advisory).
REMOTE_USER, HTTP_SHIB_IDENTITY_PROVIDER, or other headers the plugin is configured to trust) set to a target username or a new administrator account name.wp-login.php or any authenticated endpoint) with the forged headers included.wp-login.php access) showing successful logins from unexpected IP addresses with no prior account history; new administrator accounts created with usernames not matching organizational naming conventions in wp_users table.REMOTE_USER, HTTP_SHIB_*) originating from untrusted client IPs rather than the expected Shibboleth IdP proxy.The primary remediation is to update the Shibboleth WordPress plugin to version 2.5.4 or later, which addresses the failure-open behavior by enforcing proper validation when HTTP header identity mode is used. As interim mitigations, administrators should: (1) configure an anti-spoofing key in the HTTP header identity mode settings; (2) disable automatic account creation if not operationally required; (3) review and restrict default administrator role mapping; and (4) ensure that network infrastructure (reverse proxies, load balancers) strips or validates untrusted client-supplied HTTP headers before they reach the WordPress application. Sites not using HTTP header attribute mode are not affected by this vulnerability (WPScan, GitHub Advisory).
The vulnerability was discovered and responsibly disclosed by independent researcher Khaled Alenazi (Nxploited), who submitted it through WPScan's coordinated disclosure process. WPScan has verified the vulnerability and is withholding the full proof-of-concept until July 28, 2026, to allow users time to update. No significant broader media coverage or notable community commentary beyond the initial disclosure has been identified at this time (WPScan).
Origem: Este relatório foi gerado usando IA
Avaliação de vulnerabilidade gratuita
Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.
Marque uma demonstração personalizada
"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."