Really Simple Ssl
Monthly
Authentication bypass in the Really Simple SSL WordPress plugin versions 9.5.10 and earlier allows remote attackers to circumvent identity verification controls (CWE-288), potentially gaining unauthorized access to WordPress sites that rely on the plugin's two-factor or login security features. The flaw was disclosed via Patchstack and carries a CVSS 3.1 base score of 8.1 driven by high impact on confidentiality, integrity, and availability, though high attack complexity (AC:H) suggests non-trivial preconditions. No public exploit identified at time of analysis and EPSS data was not supplied.
Broken access control in the Really Simple SSL WordPress plugin versions 9.5.9 and earlier permits any authenticated subscriber - the lowest default WordPress user role - to perform privileged actions that should be restricted to administrators. The CVSS vector (PR:L/I:H) confirms that low-privilege authenticated users can achieve high-integrity impact, likely by manipulating SSL redirect rules or plugin security settings without authorization. No public exploit has been identified at time of analysis, but the network-accessible, low-complexity nature of the flaw makes it trivially exploitable by any user who can obtain a subscriber account on an affected installation.
Really Simple SSL versions 9.5.7 and earlier contain an authorization bypass flaw that allows unauthenticated remote attackers to modify security settings through improper access control mechanisms. The vulnerability has a medium severity rating with a CVSS score of 5.3 and currently lacks a publicly available patch. Organizations using affected versions should review their SSL security configurations and consider upgrading when patches become available.
Authentication bypass in the Really Simple SSL WordPress plugin versions 9.5.10 and earlier allows remote attackers to circumvent identity verification controls (CWE-288), potentially gaining unauthorized access to WordPress sites that rely on the plugin's two-factor or login security features. The flaw was disclosed via Patchstack and carries a CVSS 3.1 base score of 8.1 driven by high impact on confidentiality, integrity, and availability, though high attack complexity (AC:H) suggests non-trivial preconditions. No public exploit identified at time of analysis and EPSS data was not supplied.
Broken access control in the Really Simple SSL WordPress plugin versions 9.5.9 and earlier permits any authenticated subscriber - the lowest default WordPress user role - to perform privileged actions that should be restricted to administrators. The CVSS vector (PR:L/I:H) confirms that low-privilege authenticated users can achieve high-integrity impact, likely by manipulating SSL redirect rules or plugin security settings without authorization. No public exploit has been identified at time of analysis, but the network-accessible, low-complexity nature of the flaw makes it trivially exploitable by any user who can obtain a subscriber account on an affected installation.
Really Simple SSL versions 9.5.7 and earlier contain an authorization bypass flaw that allows unauthenticated remote attackers to modify security settings through improper access control mechanisms. The vulnerability has a medium severity rating with a CVSS score of 5.3 and currently lacks a publicly available patch. Organizations using affected versions should review their SSL security configurations and consider upgrading when patches become available.