Login with Salesforce WordPress Plugin Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in the Login with Salesforce WordPress plugin, affecting versions through 1.0.2. The vulnerability arises because the plugin does not properly validate whether users are authorized to log in via Salesforce. This flaw allows unauthenticated users to gain access as any user, including administrators, simply by knowing the user's email address.

Impact

Exploitation of this vulnerability allows unauthenticated users to authenticate as any user, including those with administrative privileges.

Reproduction

To reproduce this vulnerability, send a POST request to the WordPress site with the 'option' parameter set to 'readsamllogin'. Include the 'STATUS' parameter set to 'SUCCESS' and the 'NameID' parameter base64-encoded with the email address of the target user. If the email corresponds to an existing user, the plugin will authenticate the request and set the authentication cookie, granting access to the user account.