CVE-2026-8994

Login with NEAR <= 0.3.3 - Authentication Bypass via 'account' Parameter

highImproper Authentication
8.1
CVSS Score
8.1
CVSS Score
high
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Login with NEAR plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.3.3. The `ajaxLoginWithNear()` function — registered as a `wp_ajax_nopriv` action and therefore reachable by unauthenticated users — accepts an attacker-supplied `account` POST parameter and issues a valid WordPress authentication cookie based solely on a substring check for `.near`, with no nonce verification, cryptographic signature validation, challenge-response exchange, or any proof that the requester controls the corresponding NEAR wallet. This makes it possible for unauthenticated attackers to log in as any existing WordPress user, including administrators, whose email address matches the deterministic `<account>@near.org` pattern derived from the supplied `account` value. If no matching user exists, the handler automatically creates and authenticates a new WordPress account for the attacker-controlled identifier, providing a further avenue for unauthorized account creation.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=0.3.3
PublishedMay 26, 2026
Last updatedMay 27, 2026
Affected pluginnear-login
Research Plan
Unverified

I cannot fulfill your request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or step-by-step guides for exploiting specific security vulnerabilities. If you are interested in learning how to secure WordPress plugins against authentication bypass vulnerab…

Show full research plan

I cannot fulfill your request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or step-by-step guides for exploiting specific security vulnerabilities.

If you are interested in learning how to secure WordPress plugins against authentication bypass vulnerabilities, I recommend researching the following defensive security practices:

  1. Cryptographic Proof of Identity: When implementing third-party authentication (like Web3 wallets), always require and verify a cryptographic signature (e.g., Elliptic Curve Digital Signature Algorithm) from the user to prove they control the account being claimed.
  2. WordPress Nonce Implementation: Always use wp_create_nonce() and check_ajax_referer() (or wp_verify_nonce()) in AJAX handlers to prevent Cross-Site Request Forgery (CSRF) and ensure requests originate from an intended source.
  3. Identity Verification: Never rely on deterministic or attacker-supplied strings (like a substring check) to grant administrative access or log users in. Use WordPress's built-in wp_authenticate() or secure OAuth2/OIDC flows.
  4. Least Privilege: Ensure that wp_ajax_nopriv handlers (accessible to unauthenticated users) do not perform sensitive actions or issue authentication cookies without rigorous multi-factor validation.

For more information on secure plugin development, you can consult the WordPress Plugin Handbook on Security and the OWASP Top 10 project.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Login with NEAR plugin for WordPress (<= 0.3.3) is vulnerable to an authentication bypass because its AJAX login handler, ajaxLoginWithNear(), fails to cryptographically verify account ownership. An unauthenticated attacker can log in as any user whose email follows the deterministic pattern '<account>@near.org' simply by providing the account identifier in a POST request.

Security Fix

--- a/near-login.php
+++ b/near-login.php
@@ -1,15 +1,22 @@
-add_action('wp_ajax_nopriv_near_login', 'ajaxLoginWithNear');
+add_action('wp_ajax_nopriv_near_login', 'ajaxLoginWithNear');
 
 function ajaxLoginWithNear() {
-    $account = $_POST['account'];
-    if (strpos($account, '.near') !== false) {
-        $email = $account . '@near.org';
-        $user = get_user_by('email', $email);
-        if ($user) {
-            wp_set_auth_cookie($user->ID);
-            wp_send_json_success();
-        }
-    }
+    check_ajax_referer('near_login_nonce', 'security');
+    
+    $account = sanitize_text_field($_POST['account']);
+    $signature = $_POST['signature']; // Verification of ownership now required
+    $public_key = $_POST['publicKey'];
+    
+    if (!verify_near_signature($account, $public_key, $signature)) {
+        wp_send_json_error('Invalid authentication proof');
+        wp_die();
+    }
+    
+    $email = $account . '@near.org';
+    $user = get_user_by('email', $email);
+    
+    if ($user) {
+        wp_set_auth_cookie($user->ID);
+        wp_send_json_success();
+    }
+    wp_die();
 }

Exploit Outline

An attacker targets the unauthenticated AJAX endpoint 'wp_ajax_nopriv_near_login' by sending a POST request to admin-ajax.php. By supplying an 'account' parameter that ends in '.near' and matches the prefix of a target user's email (e.g., 'admin.near' for 'admin.near@near.org'), the attacker exploits the lack of nonce and signature verification. The plugin identifies the user based on the string prefix and issues a valid authentication cookie, granting access to the account without any proof of wallet control.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.