Vulnerabilities and security researches foronelogin-saml-sso onelogin-saml-sso

Jun 16, 2026

CVE, Research URL: 1a67c6e8c0f626e7e972617535855a0e05c26280
Home page URL: Security reports for OneLogin SAML SSO
Application: OneLogin SAML SSO
Date: Jan 28, 2019
Research Description: OneLogin SAML SSO [onelogin-saml-sso] < 3.0.0 OneLogin SAML SSO <= 2.8.0 - Distributed Denial-of-Service The OneLogin SAML SSO for WordPress is vulnerable to DDoS in versions up to, and including, 2.8.0. This is due to an XML Entity Expansion. This makes it possible for unauthenticated attackers to use XML External Entity to cause the vulnerable service to slow down and/or become unresponsive.
Affected versions: max 3.0.0.
Status: vulnerable

CVE, Research URL: ec8b02a9e067f197a2449cdd8ce4e3c5fb7cbc29
Home page URL: Security reports for OneLogin SAML SSO
Application: OneLogin SAML SSO
Date: Oct 14, 2016
Research Description: OneLogin SAML SSO [onelogin-saml-sso] < 2.4.3 OneLogin SAML SSO <= 2.4.2 - Use of Vulnerable Component The OneLogin SAML SSO plugin for WordPress is potentially vulnerable to SAML Signature Wrapping attack due to use of a less secure version of the php-saml library in versions up to, and including, 2.4.2.
Affected versions: max 2.4.3.
Status: vulnerable

CVE, Research URL: 83db63439730e3225b9f5d4fdea2dabfabfe99a7
Home page URL: Security reports for OneLogin SAML SSO
Application: OneLogin SAML SSO
Date: Jun 06, 2016
Research Description: OneLogin SAML SSO [onelogin-saml-sso] < 2.1.6 OneLogin SAML-SSO Plugin < 2.1.6 - Authentication Bypass The OneLogin SAML-SSO plugin for WordPress is vulnerable to authentication bypass due to insufficient user validation in the ~/onelogin-saml-sso/onelogin_saml.php file in versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to create new accounts, including administrator accounts if an existing administrator's role name, username, or email address is correctly guessed.
Affected versions: max 2.1.6.
Status: vulnerable

CVE, Research URL: 530cfac92999235c44a4feccfbdf12b2da327104
Home page URL: Security reports for OneLogin SAML SSO
Application: OneLogin SAML SSO
Date: Jun 06, 2016
Research Description: OneLogin SAML SSO [onelogin-saml-sso] < 2.1.6 WordPress OneLogin SAML SSO Plugin <= 2.1.5 - Authentication Bypass This plugin has a bug which allows anyone to login without a password or other authentication. Update the plugin.
Affected versions: max 2.1.6.
Status: vulnerable

CVE, Research URL: 4769ad415559fb0b36a2b47b82588695681dc98f
Home page URL: Security reports for OneLogin SAML SSO
Application: OneLogin SAML SSO
Date: Oct 17, 2016
Research Description: OneLogin SAML SSO [onelogin-saml-sso] < 2.4.3 WordPress OneLogin SAML SSO Plugin <= 2.4.2 - Signature Wrapping This plugin is prone to a signature wrapping vulnerability. Update the plugin.
Affected versions: max 2.4.3.
Status: vulnerable

CVE, Research URL: 42875c697f50278ddd8851b2fe09cee77bb52a6a
Home page URL: Security reports for OneLogin SAML SSO
Application: OneLogin SAML SSO
Date: Mar 31, 2021
Research Description: OneLogin SAML SSO [onelogin-saml-sso] < 3.2.0 OneLogin SAML SSO <= 3.1.2 - Open Redirection The OneLogin SAML SSO plugin for WordPress is vulnerable to open redirection in versions up to, and including, 3.1.2. This makes it possible for unauthorized attackers to redirect traffic to potentially malicious websites.
Affected versions: max 3.2.0.
Status: vulnerable

CVE, Research URL: b2b457932384eefb77f16b43d6d403eb29ec35bd
Home page URL: Security reports for OneLogin SAML SSO
Application: OneLogin SAML SSO
Date: Jun 06, 2016
Research Description: OneLogin SAML SSO [onelogin-saml-sso] < 2.1.9 WordPress OneLogin SAML SSO Plugin <= 2.1.8 - Privilege Escalation This plugin is prone to a privilege escalation vulnerability. Update the plugin.
Affected versions: max 2.1.9.
Status: vulnerable

CVE, Research URL: 57fc5071-e157-422e-b45c-2fb0150de6b9
Home page URL: Security reports for OneLogin SAML SSO
Application: OneLogin SAML SSO
Date: -
Research Description: OneLogin SAML SSO [onelogin-saml-sso] < 2.4.3 OneLogin SAML SSO <= 2.4.2 - Signature Wrapping OneLogin SAML SSO updates php-saml library to 2.10.0 (it includes SAML Signature Wrapping attack prevention and other security improvements).
Affected versions: max 2.4.3.
Status: vulnerable

CVE, Research URL: 9f87f7b1-aecc-4abf-9dd0-078815f16d7e
Home page URL: Security reports for OneLogin SAML SSO
Application: OneLogin SAML SSO
Date: -
Research Description: OneLogin SAML SSO [onelogin-saml-sso] < 2.1.6 OneLogin SAML SSO <= 2.1.5 - Authentication Bypass The OneLogin SAML SSO WordPress plugin was affected by an Authentication Bypass security vulnerability.
Affected versions: max 2.1.6.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2016-10928
Home page URL: Security reports for OneLogin SAML SSO
Application: OneLogin SAML SSO
Date: Aug 23, 2019
Research Description: The onelogin-saml-sso plugin before 2.2.0 for WordPress has a hardcoded @@@nopass@@@ password for just-in-time provisioned users.
Affected versions: max 2.2.0.
Status: vulnerable