Security Bulletin — July 16, 2026: Critical Signature Algorithm Confusion in SAML-SSO and Three Additional WordPress Vulnerabilities
16 July 2026 · jproxx Security
This is our daily security overview, in which we review the published vulnerabilities and highlight those that are actually relevant for the operation of WordPress websites, online shops, and PHP applications. Every statement in this bulletin has been verified against the underlying primary source and linked at the end of the respective section. July 16 brought with it four new entries in the National Vulnerability Database, a notably dense series of WordPress-related flaws — including a critical issue in a SAML SSO plugin exploitable without authentication, plus three additional entries related to privilege escalation and CSRF. No new Shopware advisory or new PHP core vulnerability on this day.
CVE-2026-15013 — Signature Algorithm Confusion in SAML Single Sign On for WordPress (critical)
The WordPress plugin SAML Single Sign On – SSO Login by cyberlord92 exhibits, in all
versions, a vulnerability through signature algorithm confusion in the
SAML authentication flow. When an attacker submits a SAML response containing a
manipulated Signature-Algorithm header to the IDP validation code, the plugin can be
tricked into not correctly verifying the digital signature of the Identity Provider.
In practice, this means: an attacker can generate an arbitrarily formatted SAML
assertion, without having access to the Identity Provider’s signing key secret, and
send it to the WordPress server. The server accepts the assertion as legitimate because
the algorithm is not adequately validated, and grants the attacker full administrative
access to the WordPress instance as a result. The vulnerability is exploitable over the
network without any authentication or user interaction — an attacker reachable via the
Internet can thus take over full administrative control of the site simply by sending
a manipulated SAML response. The National Vulnerability Database assigns a CVSS score
of 9.8 (vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), rates the flaw as critical, and
classifies it under the vulnerability class CWE-347 (Improper Verification of
Cryptographic Signature). Operators should disable the plugin immediately or block
access to the affected SAML authentication endpoint through an access rule until a
patch is available. We also recommend checking whether the Identity Provider is
configured to use only the HS256 algorithm (symmetric) — switching to an asymmetric
algorithm such as RS256 reduces the attack surface, provided the plugin side correctly
validates the algorithm.
Sources: National Vulnerability Database — CVE-2026-15013 · CVE-Record — CVE-2026-15013
CVE-2026-15103 — Privilege Escalation in WPFunnels – Funnel Builder for WooCommerce (high)
The funnel builder plugin WPFunnels – Funnel Builder for WooCommerce by getwpfunnels
exhibits, in all versions, insufficient access control on an option modification
endpoint. An authenticated user with the Editor role can manipulate arbitrary WordPress
configuration options via this endpoint, including sensitive settings that are normally
restricted to administrator permissions. The missing capability check allows attackers
who have gained Editor or Author access to modify the application configuration through
manipulated HTTP requests and thereby take control of the website. The National
Vulnerability Database assigns a CVSS score of 8.8 (vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H),
rates the flaw as high, and classifies it under CWE-269 (Improper Privilege
Management). A patch was not named at press time; operators should restrict the Editor
role to trusted users and limit access to the funnel builder.
Sources: National Vulnerability Database — CVE-2026-15103 · CVE-Record — CVE-2026-15103
CVE-2026-13741 — Privilege Escalation in Digits: WordPress Mobile Number Signup and Login (high)
The plugin Digits: WordPress Mobile Number Signup and Login by UnitedOver contains an
insufficient access control in its user management API. An authenticated user with a
lower role can escalate their own permissions to a higher role via a specific API
endpoint, for example from Subscriber to Editor. The endpoint does not verify whether the
requesting user possesses the required Capability to perform role changes. The National
Vulnerability Database assigns a CVSS score of 8.8 (vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H),
rates the flaw as high, and classifies it under CWE-269. A patch was not named at press
time.
Sources: National Vulnerability Database — CVE-2026-13741 · CVE-Record — CVE-2026-13741
CVE-2026-15005 — CSRF in Loco Translate for WordPress (high)
The translation plugin Loco Translate by timwhitweak is, in all versions, affected by
a Cross-Site Request Forgery vulnerability. An attacker can place a malicious link or
form on a third-party site that is executed by an authenticated administrator when
visiting that page. This enables the attacker to perform unintended actions on behalf of
the administrator within the WordPress admin, such as deleting or modifying language
files. The National Vulnerability Database assigns a CVSS score of 8.8 (vector
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), rates the flaw as high. A patch was not named
at press time.
Sources: National Vulnerability Database — CVE-2026-15005 · CVE-Record — CVE-2026-15005
Not sure if you are affected? Contact us.
This notice serves security education. The official statements of the respective manufacturer and the sources linked above are always authoritative.