Description
Authorization Bypass Through User-Controlled Key vulnerability in Really Simple Plugins B.V. Really Simple Security Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Really Simple Security Pro: from n/a through 9.5.4.0.
Published: 2026-03-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an Insecure Direct Object Reference (IDOR) flaw that allows an attacker to bypass normal access controls by manipulating user-controlled keys. Because the plugin does not enforce proper authorization checks, a malicious user can request resources or configuration data that they should not normally be able to access. This leads to unauthorized disclosure of sensitive information, potentially compromising the integrity of site configuration and user data. The weakness is classified as CWE‑639 based on the description of the authorization bypass.

Affected Systems

Really Simple Plugins B.V. – Really Simple Security Pro plugin is affected from its earliest release through version 9.5.4.0. Any site using these versions is susceptible; an upgrade beyond 9.5.4.0 removes the flaw.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote web-based exploitation through the plugin’s administrative interface, where an attacker can supply altered key parameters. The vulnerability requires the attacker to be authenticated or to obtain an authenticated session, but because of misconfigured access controls, the attacker can elevate privileges or access protected data without proper authorization.

Generated by OpenCVE AI on March 19, 2026 at 07:20 UTC.

Remediation

Vendor Solution

Update the WordPress Really Simple Security Pro plugin to the latest available version (at least 9.5.4.1).

OpenCVE Recommended Actions

  • Update the WordPress Really Simple Security Pro plugin to version 9.5.4.1 or later.
  • Verify that the plugin’s access control settings are correctly configured to prevent unintended exposure of protected resources.
  • Monitor site logs for anomalous IDOR attempts or unauthorized access to sensitive data.

Generated by OpenCVE AI on March 19, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Really-simple-plugins
Really-simple-plugins really Simple Security
Wordpress
Wordpress wordpress
Vendors & Products Really-simple-plugins
Really-simple-plugins really Simple Security
Wordpress
Wordpress wordpress

Thu, 19 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in Really Simple Plugins B.V. Really Simple Security Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Really Simple Security Pro: from n/a through 9.5.4.0.
Title WordPress Really Simple Security Pro plugin <= 9.5.4.0 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Really-simple-plugins Really Simple Security
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-19T13:45:55.021Z

Reserved: 2026-02-19T09:52:08.214Z

Link: CVE-2026-27397

cve-icon Vulnrichment

Updated: 2026-03-19T13:45:51.559Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T06:16:25.410

Modified: 2026-03-19T13:25:00.570

Link: CVE-2026-27397

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:15:55Z

Weaknesses