Skip to main content

Really Simple SSL CVE-2026-48970

| EUVDEUVD-2026-36866 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-06-15 Patchstack GHSA-jmwh-pjxm-p3cm
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Remote unauthenticated reach over HTTP (AV:N/PR:N/UI:N); AC:H reflects the non-trivial precondition implied by CWE-288 alternate-channel bypass; full admin-equivalent actions justify C:H/I:H/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:42 vuln.today

DescriptionCVE.org

Unauthenticated Broken Authentication in Really Simple SSL <= 9.5.10 versions.

AnalysisAI

Authentication bypass in the Really Simple SSL WordPress plugin versions 9.5.10 and earlier allows remote attackers to circumvent identity verification controls (CWE-288), potentially gaining unauthorized access to WordPress sites that rely on the plugin's two-factor or login security features. The flaw was disclosed via Patchstack and carries a CVSS 3.1 base score of 8.1 driven by high impact on confidentiality, integrity, and availability, though high attack complexity (AC:H) suggests non-trivial preconditions. No public exploit identified at time of analysis and EPSS data was not supplied.

Technical ContextAI

Really Simple SSL is a widely deployed WordPress plugin (CPE: really_simple_plugins:really_simple_ssl) originally designed to enforce HTTPS but which in modern versions also provides hardening features including two-factor authentication, login protection, and vulnerability detection. CWE-288 (Authentication Bypass Using an Alternate Path or Channel) indicates that the plugin exposes a code path which reaches privileged functionality without correctly validating the caller's identity - typical root causes include REST API endpoints with insufficient permission_callback checks, nonce verification gaps, or 2FA flows that can be skipped by manipulating request parameters. Because the plugin runs inside WordPress's PHP request lifecycle, a bypass effectively grants the attacker whatever authority the bypassed endpoint operates with, up to and including administrator-equivalent actions depending on the affected handler.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the provided data, so administrators should consult the Patchstack entry at https://patchstack.com/database/wordpress/plugin/really-simple-ssl/vulnerability/wordpress-really-simple-ssl-plugin-9-5-10-broken-authentication-vulnerability and upgrade to the first release above 9.5.10 listed there (typically 9.5.11 or later in the Really Simple SSL 9.x branch). Until upgrade is possible, restrict access to /wp-admin and /wp-json/reallysimplessl/* (and any rsssl_* REST routes) via web-server allowlisting or a WAF rule that blocks unauthenticated calls to plugin endpoints - note this will break legitimate frontend features such as the plugin's own SSL health checks and 2FA enrollment flows. As a defense-in-depth measure, enforce strong administrator passwords and a second factor outside the affected plugin (e.g., a separate 2FA solution or hosting-provider login protection) so that even a successful bypass does not directly yield admin session control; the trade-off is operational overhead of running two auth mechanisms. Auditing wp_users, recent administrator role grants, and plugin/theme installs is recommended before and after patching to detect prior abuse.

Share

CVE-2026-48970 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy