Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Remote unauthenticated reach over HTTP (AV:N/PR:N/UI:N); AC:H reflects the non-trivial precondition implied by CWE-288 alternate-channel bypass; full admin-equivalent actions justify C:H/I:H/A:H.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Authentication in Really Simple SSL <= 9.5.10 versions.
AnalysisAI
Authentication bypass in the Really Simple SSL WordPress plugin versions 9.5.10 and earlier allows remote attackers to circumvent identity verification controls (CWE-288), potentially gaining unauthorized access to WordPress sites that rely on the plugin's two-factor or login security features. The flaw was disclosed via Patchstack and carries a CVSS 3.1 base score of 8.1 driven by high impact on confidentiality, integrity, and availability, though high attack complexity (AC:H) suggests non-trivial preconditions. No public exploit identified at time of analysis and EPSS data was not supplied.
Technical ContextAI
Really Simple SSL is a widely deployed WordPress plugin (CPE: really_simple_plugins:really_simple_ssl) originally designed to enforce HTTPS but which in modern versions also provides hardening features including two-factor authentication, login protection, and vulnerability detection. CWE-288 (Authentication Bypass Using an Alternate Path or Channel) indicates that the plugin exposes a code path which reaches privileged functionality without correctly validating the caller's identity - typical root causes include REST API endpoints with insufficient permission_callback checks, nonce verification gaps, or 2FA flows that can be skipped by manipulating request parameters. Because the plugin runs inside WordPress's PHP request lifecycle, a bypass effectively grants the attacker whatever authority the bypassed endpoint operates with, up to and including administrator-equivalent actions depending on the affected handler.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the provided data, so administrators should consult the Patchstack entry at https://patchstack.com/database/wordpress/plugin/really-simple-ssl/vulnerability/wordpress-really-simple-ssl-plugin-9-5-10-broken-authentication-vulnerability and upgrade to the first release above 9.5.10 listed there (typically 9.5.11 or later in the Really Simple SSL 9.x branch). Until upgrade is possible, restrict access to /wp-admin and /wp-json/reallysimplessl/* (and any rsssl_* REST routes) via web-server allowlisting or a WAF rule that blocks unauthenticated calls to plugin endpoints - note this will break legitimate frontend features such as the plugin's own SSL health checks and 2FA enrollment flows. As a defense-in-depth measure, enforce strong administrator passwords and a second factor outside the affected plugin (e.g., a separate 2FA solution or hosting-provider login protection) so that even a successful bypass does not directly yield admin session control; the trade-off is operational overhead of running two auth mechanisms. Auditing wp_users, recent administrator role grants, and plugin/theme installs is recommended before and after patching to detect prior abuse.
More in Really Simple Ssl
View allBroken access control in the Really Simple SSL WordPress plugin versions 9.5.9 and earlier permits any authenticated sub
Really Simple SSL versions 9.5.7 and earlier contain an authorization bypass flaw that allows unauthenticated remote att
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36866
GHSA-jmwh-pjxm-p3cm