Really Simple Security < 9.5.10.1 – Two-Factor OTP Bypass | CVE 2026-8293

Description

The plugin does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker who knows a user's password to obtain a WordPress authentication session for that user without completing the email OTP challenge.

Proof of Concept

The PoC will be displayed on June 02, 2026, to give users the time to update.

Affects Plugins

really-simple-ssl

Fixed in 9.5.10.1

References

CVE

CVE-2026-8293

URL

https://github.com/johnumorujo/published-cves/tree/main/RSSSL-9.5.10-2FA-Bypass

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-287

CVSS

7.5 (high)

Miscellaneous

Original Researcher

John Umoru

Submitter

John Umoru

Submitter website

https://github.com/johnumorujo

Submitter twitter

johnumorujo

Verified

Yes

WPVDB ID

1de69ef9-6226-4292-8e36-b331a37f043e

Timeline

Publicly Published

2026-05-12 (about 3 days ago)

Added

2026-05-12 (about 3 days ago)

Last Updated

2026-05-12 (about 3 days ago)

Other

Published

Title

Published

2023-11-06

Title

Simple Social Buttons < 5.1.1 - Unauthenticated Password Protected Post Access

Published

2014-11-01

Title

WP eCommerce <= 3.8.14.3 - Authorisation Bypass

Published

2024-05-19

Title

Chauffeur Taxi Booking System for WordPress < 7.0 - Authentication Bypass

Published

2025-04-07

Title

Asgaros Forum < 3.1.0 - Subscriber+ Authorization Bypass

Published

2023-05-17

Title

MStore API < 3.9.1 - Authentication Bypass