The onelogin-saml-sso plugin before 2.2.0 for WordPress has a hardcoded @@@nopass@@@ password for just-in-time provisioned users.
{
"cpe": "cpe:2.3:a:onelogin:onelogin_saml_sso:*:*:*:*:*:wordpress:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "2.2.0"
}
],
"source": "CPE_RANGE"
}