Description
Subscriber Broken Access Control in Really Simple SSL <= 9.5.9 versions.
Published: 2026-06-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Broken access control in the Really Simple SSL plugin allows a subscriber to perform privileged operations that should be restricted. The flaw exists in all plugin versions up to and including 9.5.9. An attacker who can authenticate as a WordPress subscriber, or create an account with that role, could gain unauthorized access to configuration settings, view or modify sensitive data, or otherwise elevate their privileges. The vulnerability is a type of improper authorization weakness (CWE‑862).

Affected Systems

The affected product is the Really Simple SSL plugin developed by Really Simple Plugins B.V. Versions up to 9.5.9 are impacted. Sites running WordPress with any of these versions are at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. No EPSS score is available, so the real-world exploitation likelihood is unknown, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via the WordPress site itself; an attacker would need to authenticate as a subscriber or forge an account with that role. Once authenticated, the broken authorization would allow access to privileged plugin functions.

Generated by OpenCVE AI on June 16, 2026 at 01:52 UTC.

Remediation

Vendor Solution

Update the WordPress Really Simple SSL Plugin to the latest available version (at least 9.5.10).

OpenCVE Recommended Actions

  • Upgrade the Really Simple SSL plugin to version 9.5.10 or later.
  • Revoke any subscriber accounts that have been granted privileges beyond normal subscriber permissions and ensure only intended roles receive plugin capabilities.
  • Audit the plugin’s configuration to disable or restrict any functionality that exposes sensitive data or actions to subscribers.
  • Monitor site logs for anomalous access patterns that might indicate exploitation of this vulnerability.

Generated by OpenCVE AI on June 16, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Subscriber Broken Access Control in Really Simple SSL <= 9.5.9 versions.
Title WordPress Really Simple SSL plugin <= 9.5.9 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T19:24:11.776Z

Reserved: 2026-05-26T19:56:06.748Z

Link: CVE-2026-48969

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-15T14:16:35.597

Modified: 2026-06-15T20:42:32.707

Link: CVE-2026-48969

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T02:00:04Z

Weaknesses