CVE-2026-8293 · The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentic

01 · The Real Story

This is a deadbolt that still opens if you already stole the front-door key

CVE-2026-8293 is an authentication-bypass flaw in the *Really Simple Security* WordPress plugin affecting versions before 9.5.10.1. In the vulnerable email-based 2FA flow, two REST endpoints fail to enforce the second-factor check, so an attacker who already knows a victim user's WordPress password can complete login and obtain a valid authenticated session without supplying the email OTP. In plain English: the plugin can turn a stolen password into a full login even when admins thought email 2FA was protecting them.

The vendor's HIGH 7.5 score is defensible in lab terms because the impact can be full account takeover, including admin, on an internet-facing app. But in real enterprise patch triage this lands lower because the attacker must already have a valid password, the site must actually use this plugin's affected 2FA path, and the impacted flow appears tied to the email OTP implementation rather than every authentication method the product offers. That's meaningful friction, so this is a downgrade to MEDIUM rather than a must-drop-everything event.

"Serious for password-reuse victims, but this is not a clean internet-to-admin bug"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get a valid WordPress password

The attacker first needs working credentials for an existing WordPress user. In practice that usually means password reuse, prior phishing, infostealer data, credential stuffing with tools like Hydra, or leaked credentials from another breach rather than direct exploitation of this CVE. Without a correct password, this bug does nothing.

Conditions required:

Attacker knows a valid username and password for a WordPress account
Target account is allowed to authenticate locally to WordPress

Where this breaks in practice:

This is not unauthenticated remote exploitation
MFA at an upstream IdP can eliminate local WordPress password use in some estates
Rate limiting, bot controls, and strong-password policies reduce the feeder stage

Detection/coverage: Most vuln scanners will not see this stage. Detection comes from auth telemetry: failed login bursts, impossible travel, IP reputation, and reused-password alerts if your identity stack supports them.

STEP 02

Confirm the plugin and login flow are in scope

The attacker identifies the site as running *Really Simple Security* and checks whether the targeted role is subject to the plugin's 2FA flow. WPScan, passive fingerprinting, plugin asset paths, or direct file/version disclosure can reveal the plugin; the login sequence then shows whether the site is using the affected email OTP challenge. If the site uses a different auth path, the chain dies here.

Conditions required:

Plugin is installed and version is earlier than 9.5.10.1
2FA is enabled for the target account or role
The target login path reaches the vulnerable REST endpoints

Where this breaks in practice:

Not every site with the plugin enables 2FA
Not every role is necessarily covered
Alternative methods such as TOTP, passkeys, SSO, or disabled REST exposure may reduce reachability

Detection/coverage: External scanners can usually identify the plugin and sometimes its version, but not whether the affected email OTP path is enabled for a specific user.

STEP 03

Skip the OTP via the vulnerable REST endpoints

Using curl, Burp Suite, or a custom script, the attacker authenticates with the known password and drives the login through the flawed REST endpoints that fail to enforce the second-factor challenge. The application returns or enables a valid authenticated WordPress session without requiring the email OTP. Functionally, the second factor becomes optional for that path.

Conditions required:

The vulnerable endpoints are reachable
The password-based first factor succeeds
The site is using the flawed email OTP flow

Where this breaks in practice:

The attacker still needs to understand the app flow well enough to hit the right endpoints
WAF or aggressive bot mitigation may interfere with scripted login abuse
If defenders removed local auth exposure or restricted /wp-json/, exploitation gets harder

Detection/coverage: Generic scanners may flag the version but cannot reliably validate bypass without credentials. Application logs showing successful sessions created without a completed OTP event are the best signal, if the plugin logs that sequence.

STEP 04

Use the acquired session for site takeover

Once logged in, the attacker operates with the victim's role. For an administrator, that can mean plugin installation, theme edits, content tampering, user creation, data theft, or persistence; with lower roles, impact is narrower unless another privilege-escalation path exists. The blast radius is therefore heavily role-dependent.

Conditions required:

Victim account has meaningful privileges
WordPress admin features are reachable from the established session

Where this breaks in practice:

Low-privilege users do not automatically yield full site takeover
Hardened WordPress settings may disable plugin/theme editors or restrict admin actions
EDR on the host will not see much if the abuse stays inside normal admin workflows

Detection/coverage: Standard web-app and WordPress audit logging can catch new plugin installs, user creation, file edits, or unusual admin activity after login. Many infrastructure scanners miss this entirely because the impact unfolds after valid authentication.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No CISA KEV listing found and no credible public reporting of active exploitation campaigns as of 2026-06-02.
Public PoC status	No dedicated public PoC repository for CVE-2026-8293 was found in primary-source searching. Exploitation should still be straightforward for anyone who can observe the login flow with `Burp Suite` or `curl`.
EPSS	User-supplied EPSS is 0.00067 (about 0.067% 30-day probability), which is very low and consistent with low observed attacker interest so far; secondary aggregators place it around the 21st percentile.
KEV status	Not listed in the CISA Known Exploited Vulnerabilities catalog.
CVSS vector	`CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H` — network reachable, but the important real-world limiter is PR:L in practice: you need a valid password first.
Affected versions	Really Simple Security before 9.5.10.1. Practical exposure is narrower than raw versioning because the vulnerable path also needs the plugin's affected 2FA login flow to be in use.
Fixed version	Update to 9.5.10.1 or later. The public changelog for 2026-04-29 says the release updated the 2FA login flow to address inconsistent verification behavior.
Exposure footprint	WordPress.org reports 3+ million active installations for the plugin, so the installed base is large. That said, only a subset will have the vulnerable version and the affected email OTP flow enabled for high-value users.
Disclosure timeline	NVD published the CVE on 2026-06-02; the patch appears to have been available earlier in 9.5.10.1 on 2026-04-29.
Historical context	This product line had a previous 2FA-related authentication bypass in 2024 (Wordfence write-up). That does not prove active exploitation here, but it raises confidence that attackers will understand this product's auth surface quickly.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (6.4/10)

The decisive factor is that exploitation requires a valid WordPress password first, which makes this a post-credential-compromise control bypass rather than direct initial access. The vulnerable plugin is widely deployed, but the reachable population narrows again to sites actually using the affected email-based 2FA path for meaningful accounts.

HIGH Version range and fixed release identification

MEDIUM Assessment that the affected path is the plugin's email OTP flow rather than every 2FA method

MEDIUM No current public evidence of in-the-wild exploitation

Why this verdict

Downgrade for attacker position: the chain starts at *authenticated remote* in practical terms, because the attacker must already know a legitimate WordPress password.
Downgrade for reachable population: only sites running *Really Simple Security* before 9.5.10.1 and actually using the affected 2FA flow are exposed; the 3+ million install base is an amplifier, but it is not the same as 3+ million exploitable internet targets.
Upgrade from LOW because blast radius can still be ugly: if the stolen account is an administrator, this can collapse straight into full site takeover, persistence, content tampering, or plugin-based code execution through normal WordPress admin actions.

Why not higher?

This is not an unauthenticated internet-to-admin flaw. It depends on a prior compromise stage — possession of a correct password — and then on a narrower configuration condition: the vulnerable 2FA flow has to be enabled and reachable. Those are two compounding friction points, so HIGH/CRITICAL would overstate the patch urgency relative to cleaner initial-access bugs.

Why not lower?

The flaw breaks the security control defenders were counting on to contain password compromise. On public WordPress estates, stolen credentials are common enough that a working 2FA bypass materially changes risk, and for administrator accounts the impact is effectively full application compromise. That keeps it above backlog-only hygiene.

05 · Compensating Control

What to do — in priority order.

Restrict or disable local WordPress logins for admin roles — Where you have SSO or a reverse-proxy access layer, move admins off direct username/password WordPress auth so this bypass cannot be exercised. Because this is a MEDIUM reassessment there is no mitigation SLA — go straight to the 365-day remediation window, but use this immediately on internet-facing high-value sites if patching is delayed.
Prefer stronger second factors than email OTP — If your deployment supports TOTP, passkeys, or upstream MFA, shift privileged users away from email-based OTP flows that are both weaker and apparently closer to the vulnerable path. There is no mitigation SLA for this verdict, so treat it as a risk-reduction step during normal hardening rather than an emergency change unless the site is especially sensitive.
Constrain access to /wp-admin and /wp-json/ — IP allowlisting, VPN gating, reverse-proxy ACLs, or identity-aware access reduce who can even reach the login and API surfaces needed for the bypass. For a MEDIUM finding, apply where operationally easy; otherwise go straight to patching within the remediation window.
Monitor for password compromise indicators — Since the exploit chain begins with a valid password, prioritize detection of credential stuffing, anomalous admin logins, geo-velocity, and impossible-travel events. This will catch the feeder stage that the CVE itself depends on, which is often more valuable than looking for the bypass transaction alone.

What doesn't work

A generic host EDR agent will not reliably stop this because the attack stays inside normal web authentication and admin workflows.
Relying on email OTP as the only privileged-user control does not help here; that is the trust boundary this bug undermines.
Simple version-based external scanning is not enough for impact triage because it cannot tell you whether the vulnerable 2FA path is enabled for real users.

06 · Verification

Crowdsourced verification payload.

Run this on the target WordPress host as a user that can read the web root; root is not required unless file permissions are locked down. Invoke it as bash check_rsssl_cve_2026_8293.sh /var/www/html and it will inspect common plugin files for the installed *Really Simple Security / Really Simple SSL* version and report VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_rsssl_cve_2026_8293.sh
# Detects whether the Really Simple Security / Really Simple SSL WordPress plugin
# is installed below the fixed version 9.5.10.1 for CVE-2026-8293.
#
# Usage:
#   bash check_rsssl_cve_2026_8293.sh /path/to/wordpress
#
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -u

FIXED_VERSION="9.5.10.1"
WP_ROOT="${1:-}"

if [[ -z "$WP_ROOT" ]]; then
  echo "UNKNOWN - missing WordPress root path argument"
  exit 2
fi

PLUGIN_DIR="$WP_ROOT/wp-content/plugins/really-simple-ssl"
MAIN_FILE="$PLUGIN_DIR/rlrsssl-really-simple-ssl.php"
README_FILE="$PLUGIN_DIR/readme.txt"

if [[ ! -d "$PLUGIN_DIR" ]]; then
  echo "UNKNOWN - plugin directory not found: $PLUGIN_DIR"
  exit 2
fi

version=""

# Try the plugin header first.
if [[ -f "$MAIN_FILE" ]]; then
  version=$(grep -iE '^\s*Version:\s*' "$MAIN_FILE" 2>/dev/null | head -n1 | sed -E 's/^\s*Version:\s*//I' | tr -d '\r')
fi

# Fallback to readme stable tag.
if [[ -z "$version" && -f "$README_FILE" ]]; then
  version=$(grep -iE '^\s*Stable tag:\s*' "$README_FILE" 2>/dev/null | head -n1 | sed -E 's/^\s*Stable tag:\s*//I' | tr -d '\r')
fi

# Last resort: parse the changelog heading nearest the top.
if [[ -z "$version" && -f "$README_FILE" ]]; then
  version=$(grep -E '^= [0-9]+\.[0-9]+' "$README_FILE" 2>/dev/null | head -n1 | sed -E 's/^=\s*([^ ]+).*/\1/' | tr -d '\r')
fi

if [[ -z "$version" ]]; then
  echo "UNKNOWN - could not determine installed plugin version"
  exit 2
fi

# Normalize and compare versions using sort -V.
lowest=$(printf '%s\n%s\n' "$version" "$FIXED_VERSION" | sort -V | head -n1)

if [[ "$version" == "$FIXED_VERSION" ]]; then
  echo "PATCHED - detected version $version"
  exit 0
fi

if [[ "$lowest" == "$version" ]]; then
  echo "VULNERABLE - detected version $version (< $FIXED_VERSION)"
  exit 1
else
  echo "PATCHED - detected version $version (>= $FIXED_VERSION)"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, identify every WordPress host running the really-simple-ssl plugin, then separate internet-facing admin sites from low-value internal or dormant instances. Because this reassessment is MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; if you cannot patch immediately, use compensating controls only on exposed high-value sites. The noisgate remediation SLA is ≤365 days, but for public sites with privileged local logins you should still patch in the next normal WordPress maintenance cycle instead of letting this age, because the whole point of the flaw is to turn a stolen password into a successful admin session.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.