CVE-2026-8293 - Vulnerability Details

- Really Simple Security < 9.5.10.1 - Authentication Bypass via Two-Factor OTP Skip

Description

The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker who knows a user's password to obtain a WordPress authentication session for that user without completing the email OTP challenge.

Published: 2026-06-02

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Really Simple Security plugin fails to enforce the second‑factor email OTP on two of its two‑factor authentication REST endpoints. When an attacker knows the target user’s password, they can bypass the one‑time password challenge and obtain a valid WordPress authentication session. This flaw effectively removes the second factor of authentication, allowing full access to the user account and, depending on the account’s privileges, potentially administration of the entire WordPress site. The weakness is an improper enforcement of authentication controls, exposing the site to credential‑reuse attacks and granting attackers the same capabilities as the target user.

Affected Systems

Anyone using the Really Simple Security WordPress plugin with a version lower than 9.5.10.1 is impacted. The vulnerability is specific to that plugin, and no other vendors or products are listed as affected.

Risk and Exploitability

CVSS score of 7.5, EPSS score of 0.00067, and no KEV listing are the current metrics for the vulnerability. The nature of the flaw—overt authentication bypass—suggests a high risk to confidentiality and integrity. An attacker can easily exploit the exposed REST endpoints from off‑site with only the user’s password, making remote exploitation straightforward with no specialized environment required. The lack of an official KEV flag does not reduce the urgency; any site that relies on the plugin for two‑factor protection remains vulnerable until addressed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Unknown

Really Simple Security

unaffected

Version	Status	Constraints
`0`	affected	< 9.5.10.1

No data.

Vendor Product Confidence Versions

Really-simple-plugins

Really Simple Security

88%

Version	Status	Scheme	Platform
`[0,9.5.10.1)`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official plugin update to version 9.5.10.1 or later, which enforces the OTP challenge on all authentication endpoints.
If an immediate update is unavailable, disable access to the affected REST endpoints by blocking them via a web‑application firewall or restricting REST API usage for authentication commands.
Review and audit user login activity regularly, enforce logging of 2‑factor attempts, and consider adding an additional email or SMS authentication step if available in the plugin’s configuration.

Generated by OpenCVE AI on June 2, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00067.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://wpscan.com/vulnerability/1de69ef9-6226-4292-8e36-b331a37f043e/

History

Tue, 02 Jun 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Really-simple-plugins Really-simple-plugins really Simple Security Wordpress Wordpress wordpress
Vendors & Products		Really-simple-plugins Really-simple-plugins really Simple Security Wordpress Wordpress wordpress

Tue, 02 Jun 2026 13:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-284

Tue, 02 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-287
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 02 Jun 2026 08:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284

Tue, 02 Jun 2026 07:00:00 +0000

Type	Values Removed	Values Added
Description		The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker who knows a user's password to obtain a WordPress authentication session for that user without completing the email OTP challenge.
Title		Really Simple Security < 9.5.10.1 - Authentication Bypass via Two-Factor OTP Skip
References		https://wpscan.com/vulnerability/1de69ef9-6226-4292-8e36-b331a37f043e/

Subscriptions

Really-simple-plugins Really Simple Security

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2026-06-02T06:00:02.468Z

Updated: 2026-06-02T10:39:15.547Z

Reserved: 2026-05-11T08:12:42.273Z

Link: CVE-2026-8293

Vulnrichment

Updated: 2026-06-02T10:39:03.715Z

NVD

Status : Deferred

Published: 2026-06-02T07:16:13.707

Modified: 2026-06-02T14:43:49.920

Link: CVE-2026-8293

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T15:30:11Z

Weaknesses

CWE-287

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object