Skip to main content

Really Simple Security CVE-2026-8293

| EUVD-2026-33882 HIGH
Improper Authentication (CWE-287)
2026-06-02 WPScan GHSA-g33r-3vq8-q6f4
WordPress Authentication Bypass
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 02, 2026 - 12:22 vuln.today
CVSS changed
Jun 02, 2026 - 12:22 NVD
7.5 (HIGH)
Patch available
Jun 02, 2026 - 08:01 EUVD
CVE Published
Jun 02, 2026 - 06:00 nvd
HIGH 7.5
CVE Published
Jun 02, 2026 - 06:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker who knows a user's password to obtain a WordPress authentication session for that user without completing the email OTP challenge.

AnalysisAI

Two-factor authentication bypass in the Really Simple Security WordPress plugin before 9.5.10.1 allows attackers who already possess a valid username and password to hijack a fully authenticated WordPress session without completing the email OTP challenge. Two REST endpoints in the plugin's 2FA flow fail to enforce the second-factor challenge, effectively neutralizing the MFA protection the plugin is marketed to provide. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid user credentials
Delivery
Identify Really Simple Security 2FA enabled
Exploit
Send crafted request to unprotected 2FA REST endpoint
Execution
Receive authenticated WordPress session cookie
Persist
Access account bypassing email OTP
Impact
Escalate to admin actions if privileged
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must already possess a valid username and password for a target WordPress account on a site running Really Simple Security before 9.5.10.1 with its email-based two-factor authentication feature enabled - the bug specifically defeats the second factor, so stage-one credentials are a hard prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H produces a 7.5 base score reflecting network reachability, no user interaction, and full CIA impact, tempered by high attack complexity and a low-privilege prerequisite - that PR:L is misleading at face value because it really represents possession of a valid password rather than an existing application role, which is precisely the scenario this plugin's 2FA is meant to defeat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains a WordPress user's password through credential stuffing, phishing, or a prior breach, then instead of completing the email OTP step required by Really Simple Security's 2FA, sends a crafted request directly to one of the two unprotected REST endpoints to receive a valid authenticated session cookie. A public PoC exists via WPScan, lowering the skill barrier; if the compromised account is an administrator, the attacker can install malicious plugins, exfiltrate data, or deface the site.
Remediation Vendor-released patch: upgrade the Really Simple Security plugin to version 9.5.10.1 or later via the WordPress plugin updater or by downloading from the vendor; this is the only complete fix and should be applied immediately given the public PoC. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify and inventory all WordPress installations using Really Simple Security plugin, noting current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8935 CRITICAL POC
9.8 Jun 15

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that i
CVE-2026-10795 HIGH POC
8.1 Jun 11

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat
CVE-2026-8089 HIGH POC
7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH POC
7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-52704 CRITICAL
10.0 Jun 15

Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows un

Share

CVE-2026-8293 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy