Admin nag

  • Resolved Jeff Sterup

    (@foomagoo)


    11 months, 1 week ago

    I updated to the new version (2.2.0) and there is now a nagging alert at the top of all admin pages telling me to upgrade SimpleSamlPHP. I can dismiss the message but it comes right back on the next page load. You should be able to dismiss admin alerts so they will not come back. I don’t need a thousand emails from users of my sites that I need to update. I’m working on it.

Viewing 1 replies (of 1 total)
  • Plugin Contributor Chris Reynolds

    (@jazzs3quence)

    11 months, 1 week ago

    This is by design because that version of SimpleSAMLphp has a critical vulnerability that can allow identity forgery as detailed here: https://github.com/advisories/GHSA-46r4-f8gj-xg56 and here: https://nvd.nist.gov/vuln/detail/cve-2025-27773.

    The only functional update between the last most recent update of WP SAML Auth (2.1.4) and 2.2.0 is the addition of the code to detect the installed version of SimpleSAMLphp and add the notices. The built-in OneLogin package was also bumped, but irrelevant if you’re using SimpleSAML. Therefore, if you’re actively working on updating SimpleSAML, it’s safe to downgrade to 2.1.4 in the meantime. The reason why we made this a hard version bump (rather than a patch release) was specifically because of the blocking nature of the warnings.

Viewing 1 replies (of 1 total)

The topic ‘Admin nag’ is closed to new replies.