Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Network-accessible subscriber-level authentication required (PR:L); high integrity impact reflects unauthorized settings modification with no confidentiality disclosure or availability disruption.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Broken Access Control in Really Simple SSL <= 9.5.9 versions.
AnalysisAI
Broken access control in the Really Simple SSL WordPress plugin versions 9.5.9 and earlier permits any authenticated subscriber - the lowest default WordPress user role - to perform privileged actions that should be restricted to administrators. The CVSS vector (PR:L/I:H) confirms that low-privilege authenticated users can achieve high-integrity impact, likely by manipulating SSL redirect rules or plugin security settings without authorization. No public exploit has been identified at time of analysis, but the network-accessible, low-complexity nature of the flaw makes it trivially exploitable by any user who can obtain a subscriber account on an affected installation.
Technical ContextAI
Really Simple SSL (CPE: cpe:2.3:a:really_simple_plugins_b.v.:really_simple_ssl:*:*:*:*:*:*:*:*) is a widely deployed WordPress plugin responsible for enforcing HTTPS redirects and managing SSL/TLS configurations at the application layer. The root cause is CWE-862 (Missing Authorization): one or more plugin endpoints or REST API routes fail to verify that the requesting user holds sufficient capability before executing sensitive operations. In WordPress, subscriber is the lowest built-in role, assigned to any registered user, so this flaw is exploitable by any account holder - including those self-registered on sites with open registration enabled. The CVSS integrity impact of High (I:H) suggests the attacker can persistently alter plugin settings, potentially disabling forced HTTPS redirects or weakening SSL enforcement for the entire site.
RemediationAI
Update Really Simple SSL to a version beyond 9.5.9 via the WordPress plugin dashboard or the WordPress.org plugin repository - the exact patched release version was not independently confirmed in the available input data, so verify the current stable release against the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/really-simple-ssl/vulnerability/wordpress-really-simple-ssl-plugin-9-5-9-broken-access-control-vulnerability before applying. If an immediate update is not feasible, disable open user registration on the WordPress site (Settings > General > uncheck 'Anyone can register') to prevent untrusted parties from acquiring subscriber accounts; note this does not protect against pre-existing subscriber accounts. Auditing and removing unnecessary subscriber-level user accounts can further reduce the exploitable surface while awaiting the patch. No workaround fully mitigates the missing authorization flaw - patching is the only definitive fix.
More in Really Simple Ssl
View allAuthentication bypass in the Really Simple SSL WordPress plugin versions 9.5.10 and earlier allows remote attackers to c
Really Simple SSL versions 9.5.7 and earlier contain an authorization bypass flaw that allows unauthenticated remote att
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36723
GHSA-cmjx-cfrh-588x