Skip to main content

Login with NEAR CVE-2026-8994

| EUVDEUVD-2026-32094 HIGH
Improper Authentication (CWE-287)
2026-05-27 security@wordfence.com GHSA-6gff-f85j-33mr
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 20:32 vuln.today
CVE Published
May 27, 2026 - 07:16 nvd
HIGH 8.1

DescriptionCVE.org

The Login with NEAR plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.3.3. The ajaxLoginWithNear() function - registered as a wp_ajax_nopriv action and therefore reachable by unauthenticated users - accepts an attacker-supplied account POST parameter and issues a valid WordPress authentication cookie based solely on a substring check for .near, with no nonce verification, cryptographic signature validation, challenge-response exchange, or any proof that the requester controls the corresponding NEAR wallet. This makes it possible for unauthenticated attackers to log in as any existing WordPress user, including administrators, whose email address matches the deterministic <account>@near.org pattern derived from the supplied account value. If no matching user exists, the handler automatically creates and authenticates a new WordPress account for the attacker-controlled identifier, providing a further avenue for unauthorized account creation.

AnalysisAI

Authentication bypass in the Login with NEAR WordPress plugin (all versions through 0.3.3) lets unauthenticated attackers log in as any existing user - including administrators - whose email matches the deterministic <account>@near.org pattern. The flaw stems from the unauthenticated ajaxLoginWithNear() handler issuing a valid WordPress auth cookie based only on a substring check for '.near', with no signature, challenge-response, or nonce verification. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.10%), but the technical impact is total per CISA SSVC.

Technical ContextAI

The vulnerability lives in the plugin's UserLoginController (per the referenced wordpress.org trac source at Controllers/UserLoginController.php), which wires ajaxLoginWithNear() to WordPress's wp_ajax_nopriv_ hook - the action prefix that makes an AJAX endpoint reachable by unauthenticated visitors at /wp-admin/admin-ajax.php. NEAR is a blockchain wallet ecosystem whose named accounts end in '.near', and a proper integration should prove wallet control via cryptographic signing of a server-issued challenge. Instead, the handler trusts an attacker-supplied 'account' POST value, validates it only by checking for the '.near' substring, derives a WordPress account by appending '@near.org', and then authenticates that user. This is a textbook CWE-287 (Improper Authentication): the application authenticates an identity claim without verifying any secret or proof of ownership.

RemediationAI

No vendor-released patch identified at time of analysis - the EUVD data shows every version through 0.3.3 as affected and no fixed release is cited in the references. Until a patched version is published, the most reliable mitigation is to deactivate and remove the Login with NEAR plugin, which fully eliminates the unauthenticated admin-ajax endpoint at the cost of disabling NEAR wallet login. If the plugin must remain active, restrict access to /wp-admin/admin-ajax.php for the nopriv 'loginwithnear'/NEAR login action at the WAF or web-server layer and audit user accounts for any unexpected users with @near.org email addresses or recently created accounts, removing rogue ones; note that blocking admin-ajax broadly can break other plugins that legitimately rely on it. Monitor the plugin's WordPress.org page and the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/f1eacb72-df11-4a3b-9064-f8f776f3522b) for an updated release, then upgrade to the fixed version once available and rotate credentials/sessions for any affected accounts.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-8994 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy