Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Really Simple Plugins Really Simple SSL really-simple-ssl allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Really Simple SSL: from n/a through <= 9.5.7.
AnalysisAI
Really Simple SSL versions 9.5.7 and earlier contain an authorization bypass flaw that allows unauthenticated remote attackers to modify security settings through improper access control mechanisms. The vulnerability has a medium severity rating with a CVSS score of 5.3 and currently lacks a publicly available patch. Organizations using affected versions should review their SSL security configurations and consider upgrading when patches become available.
Technical ContextAI
Really Simple SSL is a WordPress security plugin (CPE identifier typically cpe:2.3:a:really_simple_plugins:really_simple_ssl) that manages SSL certificate configuration, HTTP-to-HTTPS redirection, and mixed content handling. The vulnerability stems from CWE-862 (Missing Authorization), which occurs when the plugin fails to properly enforce access control checks on administrative functions that modify security-related settings. The root cause involves insufficient privilege validation in REST API endpoints or admin interface functions that allow unauthenticated or low-privileged users to invoke security configuration changes. This is particularly critical because the plugin's core function is managing cryptographic and transport-layer security, making authorization flaws directly impact the application's defensive posture.
RemediationAI
Immediately upgrade Really Simple SSL to version 9.5.8 or later, which patches the missing authorization controls. Access the WordPress plugin dashboard, locate Really Simple SSL, and select the update option, or download the patched version directly from the Really Simple Plugins repository. Until patching is completed, mitigate exposure by restricting WordPress admin panel access via IP allowlisting, implementing a Web Application Firewall (WAF) rule to block unauthorized access to plugin configuration endpoints, and ensuring strong admin credentials are in place. For critical environments, consider temporarily disabling the plugin and managing SSL configuration through alternative methods (reverse proxy, hosting provider tools) until patching is verified in a staging environment.
More in Really Simple Ssl
View allAuthentication bypass in the Really Simple SSL WordPress plugin versions 9.5.10 and earlier allows remote attackers to c
Broken access control in the Really Simple SSL WordPress plugin versions 9.5.9 and earlier permits any authenticated sub
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12021