Skip to main content

Really Simple Security Pro CVE-2026-27397

| EUVDEUVD-2026-13055 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-19 Patchstack
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 19, 2026 - 06:00 euvd
EUVD-2026-13055
Analysis Generated
Mar 19, 2026 - 06:00 vuln.today
CVE Published
Mar 19, 2026 - 05:30 nvd
MEDIUM 6.5

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in Really Simple Plugins B.V. Really Simple Security Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Really Simple Security Pro: from n/a through 9.5.4.0.

AnalysisAI

An authorization bypass vulnerability in Really Simple Security Pro versions through 9.5.4.0 allows unauthenticated attackers to exploit incorrectly configured access control through user-controlled keys, resulting in integrity and availability impacts. The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) with a CVSS score of 6.5, indicating medium severity with network-based attack vector requiring no privileges or user interaction. Patchstack has documented this issue affecting the Really Simple Plugins B.V. Really Simple Security Pro WordPress plugin, though active exploitation status and POC availability from public sources require verification against current threat intelligence feeds.

Technical ContextAI

This vulnerability exploits improper access control mechanisms in Really Simple Security Pro, a WordPress security plugin developed by Really Simple Plugins B.V. The root cause, classified under CWE-639, involves authorization decisions that depend on user-controllable parameters rather than server-side authorization logic. The affected product (cpe:2.3:a:really_simple_plugins_b.v.:really_simple_security_pro:*:*:*:*:*:*:*:*) implements security features for WordPress environments but fails to properly validate access controls, allowing attackers to manipulate authentication or authorization tokens or keys. WordPress plugins operating at a privileged level within the CMS can have disproportionate impact since they often handle sensitive security configurations, user roles, and administrative functions. The vulnerability pattern suggests that the plugin may be passing user-supplied input directly into authorization decisions without cryptographic validation or server-side state verification.

RemediationAI

Immediately upgrade Really Simple Security Pro to a patched version beyond 9.5.4.0 as released by Really Simple Plugins B.V. Check the vendor advisory at Patchstack (https://patchstack.com/database/wordpress/plugin/really-simple-ssl-pro/vulnerability/wordpress-really-simple-security-pro-plugin-9-5-3-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve) for the specific patched version number and upgrade instructions. Until patching is complete, implement compensating controls including restricting WordPress administrative access to trusted IP ranges via web application firewall (WAF) rules or reverse proxy, disabling the vulnerable plugin if functionally replaceable, and monitoring WordPress access logs and security event logs for signs of exploitation such as unusual administrative actions or configuration changes. Apply WordPress security hardening practices including strong authentication, two-factor authentication for administrative accounts, and principle of least privilege for user roles.

Share

CVE-2026-27397 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy