Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in Really Simple Plugins B.V. Really Simple Security Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Really Simple Security Pro: from n/a through 9.5.4.0.
AnalysisAI
An authorization bypass vulnerability in Really Simple Security Pro versions through 9.5.4.0 allows unauthenticated attackers to exploit incorrectly configured access control through user-controlled keys, resulting in integrity and availability impacts. The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) with a CVSS score of 6.5, indicating medium severity with network-based attack vector requiring no privileges or user interaction. Patchstack has documented this issue affecting the Really Simple Plugins B.V. Really Simple Security Pro WordPress plugin, though active exploitation status and POC availability from public sources require verification against current threat intelligence feeds.
Technical ContextAI
This vulnerability exploits improper access control mechanisms in Really Simple Security Pro, a WordPress security plugin developed by Really Simple Plugins B.V. The root cause, classified under CWE-639, involves authorization decisions that depend on user-controllable parameters rather than server-side authorization logic. The affected product (cpe:2.3:a:really_simple_plugins_b.v.:really_simple_security_pro:*:*:*:*:*:*:*:*) implements security features for WordPress environments but fails to properly validate access controls, allowing attackers to manipulate authentication or authorization tokens or keys. WordPress plugins operating at a privileged level within the CMS can have disproportionate impact since they often handle sensitive security configurations, user roles, and administrative functions. The vulnerability pattern suggests that the plugin may be passing user-supplied input directly into authorization decisions without cryptographic validation or server-side state verification.
RemediationAI
Immediately upgrade Really Simple Security Pro to a patched version beyond 9.5.4.0 as released by Really Simple Plugins B.V. Check the vendor advisory at Patchstack (https://patchstack.com/database/wordpress/plugin/really-simple-ssl-pro/vulnerability/wordpress-really-simple-security-pro-plugin-9-5-3-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve) for the specific patched version number and upgrade instructions. Until patching is complete, implement compensating controls including restricting WordPress administrative access to trusted IP ranges via web application firewall (WAF) rules or reverse proxy, disabling the vulnerable plugin if functionally replaceable, and monitoring WordPress access logs and security event logs for signs of exploitation such as unusual administrative actions or configuration changes. Apply WordPress security hardening practices including strong authentication, two-factor authentication for administrative accounts, and principle of least privilege for user roles.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13055