Skip to main content

Really Simple SSL EUVDEUVD-2026-36723

| CVE-2026-48969 MEDIUM
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-cmjx-cfrh-588x
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible subscriber-level authentication required (PR:L); high integrity impact reflects unauthorized settings modification with no confidentiality disclosure or availability disruption.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 14:35 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in Really Simple SSL <= 9.5.9 versions.

AnalysisAI

Broken access control in the Really Simple SSL WordPress plugin versions 9.5.9 and earlier permits any authenticated subscriber - the lowest default WordPress user role - to perform privileged actions that should be restricted to administrators. The CVSS vector (PR:L/I:H) confirms that low-privilege authenticated users can achieve high-integrity impact, likely by manipulating SSL redirect rules or plugin security settings without authorization. No public exploit has been identified at time of analysis, but the network-accessible, low-complexity nature of the flaw makes it trivially exploitable by any user who can obtain a subscriber account on an affected installation.

Technical ContextAI

Really Simple SSL (CPE: cpe:2.3:a:really_simple_plugins_b.v.:really_simple_ssl:*:*:*:*:*:*:*:*) is a widely deployed WordPress plugin responsible for enforcing HTTPS redirects and managing SSL/TLS configurations at the application layer. The root cause is CWE-862 (Missing Authorization): one or more plugin endpoints or REST API routes fail to verify that the requesting user holds sufficient capability before executing sensitive operations. In WordPress, subscriber is the lowest built-in role, assigned to any registered user, so this flaw is exploitable by any account holder - including those self-registered on sites with open registration enabled. The CVSS integrity impact of High (I:H) suggests the attacker can persistently alter plugin settings, potentially disabling forced HTTPS redirects or weakening SSL enforcement for the entire site.

RemediationAI

Update Really Simple SSL to a version beyond 9.5.9 via the WordPress plugin dashboard or the WordPress.org plugin repository - the exact patched release version was not independently confirmed in the available input data, so verify the current stable release against the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/really-simple-ssl/vulnerability/wordpress-really-simple-ssl-plugin-9-5-9-broken-access-control-vulnerability before applying. If an immediate update is not feasible, disable open user registration on the WordPress site (Settings > General > uncheck 'Anyone can register') to prevent untrusted parties from acquiring subscriber accounts; note this does not protect against pre-existing subscriber accounts. Auditing and removing unnecessary subscriber-level user accounts can further reduce the exploitable surface while awaiting the patch. No workaround fully mitigates the missing authorization flaw - patching is the only definitive fix.

Share

EUVD-2026-36723 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy