Skip to content
jproxx
← Back to the blog

Security Bulletin — July 16, 2026: Critical Signature Algorithm Confusion in SAML-SSO and Three Additional WordPress Vulnerabilities

16 July 2026 · jproxx Security

This is our daily security overview, in which we review the published vulnerabilities and highlight those that are actually relevant for the operation of WordPress websites, online shops, and PHP applications. Every statement in this bulletin has been verified against the underlying primary source and linked at the end of the respective section. July 16 brought with it four new entries in the National Vulnerability Database, a notably dense series of WordPress-related flaws — including a critical issue in a SAML SSO plugin exploitable without authentication, plus three additional entries related to privilege escalation and CSRF. No new Shopware advisory or new PHP core vulnerability on this day.

CVE-2026-15013 — Signature Algorithm Confusion in SAML Single Sign On for WordPress (critical)

The WordPress plugin SAML Single Sign On – SSO Login by cyberlord92 exhibits, in all versions, a vulnerability through signature algorithm confusion in the SAML authentication flow. When an attacker submits a SAML response containing a manipulated Signature-Algorithm header to the IDP validation code, the plugin can be tricked into not correctly verifying the digital signature of the Identity Provider. In practice, this means: an attacker can generate an arbitrarily formatted SAML assertion, without having access to the Identity Provider’s signing key secret, and send it to the WordPress server. The server accepts the assertion as legitimate because the algorithm is not adequately validated, and grants the attacker full administrative access to the WordPress instance as a result. The vulnerability is exploitable over the network without any authentication or user interaction — an attacker reachable via the Internet can thus take over full administrative control of the site simply by sending a manipulated SAML response. The National Vulnerability Database assigns a CVSS score of 9.8 (vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), rates the flaw as critical, and classifies it under the vulnerability class CWE-347 (Improper Verification of Cryptographic Signature). Operators should disable the plugin immediately or block access to the affected SAML authentication endpoint through an access rule until a patch is available. We also recommend checking whether the Identity Provider is configured to use only the HS256 algorithm (symmetric) — switching to an asymmetric algorithm such as RS256 reduces the attack surface, provided the plugin side correctly validates the algorithm.

Sources: National Vulnerability Database — CVE-2026-15013 · CVE-Record — CVE-2026-15013

CVE-2026-15103 — Privilege Escalation in WPFunnels – Funnel Builder for WooCommerce (high)

The funnel builder plugin WPFunnels – Funnel Builder for WooCommerce by getwpfunnels exhibits, in all versions, insufficient access control on an option modification endpoint. An authenticated user with the Editor role can manipulate arbitrary WordPress configuration options via this endpoint, including sensitive settings that are normally restricted to administrator permissions. The missing capability check allows attackers who have gained Editor or Author access to modify the application configuration through manipulated HTTP requests and thereby take control of the website. The National Vulnerability Database assigns a CVSS score of 8.8 (vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), rates the flaw as high, and classifies it under CWE-269 (Improper Privilege Management). A patch was not named at press time; operators should restrict the Editor role to trusted users and limit access to the funnel builder.

Sources: National Vulnerability Database — CVE-2026-15103 · CVE-Record — CVE-2026-15103

CVE-2026-13741 — Privilege Escalation in Digits: WordPress Mobile Number Signup and Login (high)

The plugin Digits: WordPress Mobile Number Signup and Login by UnitedOver contains an insufficient access control in its user management API. An authenticated user with a lower role can escalate their own permissions to a higher role via a specific API endpoint, for example from Subscriber to Editor. The endpoint does not verify whether the requesting user possesses the required Capability to perform role changes. The National Vulnerability Database assigns a CVSS score of 8.8 (vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), rates the flaw as high, and classifies it under CWE-269. A patch was not named at press time.

Sources: National Vulnerability Database — CVE-2026-13741 · CVE-Record — CVE-2026-13741

CVE-2026-15005 — CSRF in Loco Translate for WordPress (high)

The translation plugin Loco Translate by timwhitweak is, in all versions, affected by a Cross-Site Request Forgery vulnerability. An attacker can place a malicious link or form on a third-party site that is executed by an authenticated administrator when visiting that page. This enables the attacker to perform unintended actions on behalf of the administrator within the WordPress admin, such as deleting or modifying language files. The National Vulnerability Database assigns a CVSS score of 8.8 (vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), rates the flaw as high. A patch was not named at press time.

Sources: National Vulnerability Database — CVE-2026-15005 · CVE-Record — CVE-2026-15005

Not sure if you are affected? Contact us.


This notice serves security education. The official statements of the respective manufacturer and the sources linked above are always authoritative.