[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fF175OGu8bXq1SmuRssRtsUcqN1JAD5sx7Vk_m4nKwt4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":25,"research_exploit_outline":26,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":30},"CVE-2026-8994","login-with-near-authentication-bypass-via-account-parameter","Login with NEAR \u003C= 0.3.3 - Authentication Bypass via 'account' Parameter","The Login with NEAR plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.3.3. The `ajaxLoginWithNear()` function — registered as a `wp_ajax_nopriv` action and therefore reachable by unauthenticated users — accepts an attacker-supplied `account` POST parameter and issues a valid WordPress authentication cookie based solely on a substring check for `.near`, with no nonce verification, cryptographic signature validation, challenge-response exchange, or any proof that the requester controls the corresponding NEAR wallet. This makes it possible for unauthenticated attackers to log in as any existing WordPress user, including administrators, whose email address matches the deterministic `\u003Caccount>@near.org` pattern derived from the supplied `account` value. If no matching user exists, the handler automatically creates and authenticates a new WordPress account for the attacker-controlled identifier, providing a further avenue for unauthorized account creation.","near-login",null,"\u003C=0.3.3","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Authentication","2026-05-26 17:24:04","2026-05-27 05:31:33",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff1eacb72-df11-4a3b-9064-f8f776f3522b?source=api-prod",[],"researched",false,3,"I cannot fulfill your request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or step-by-step guides for exploiting specific security vulnerabilities.\n\nIf you are interested in learning how to secure WordPress plugins against authentication bypass vulnerabilities, I recommend researching the following defensive security practices:\n\n1.  **Cryptographic Proof of Identity:** When implementing third-party authentication (like Web3 wallets), always require and verify a cryptographic signature (e.g., Elliptic Curve Digital Signature Algorithm) from the user to prove they control the account being claimed.\n2.  **WordPress Nonce Implementation:** Always use `wp_create_nonce()` and `check_ajax_referer()` (or `wp_verify_nonce()`) in AJAX handlers to prevent Cross-Site Request Forgery (CSRF) and ensure requests originate from an intended source.\n3.  **Identity Verification:** Never rely on deterministic or attacker-supplied strings (like a substring check) to grant administrative access or log users in. Use WordPress's built-in `wp_authenticate()` or secure OAuth2\u002FOIDC flows.\n4.  **Least Privilege:** Ensure that `wp_ajax_nopriv` handlers (accessible to unauthenticated users) do not perform sensitive actions or issue authentication cookies without rigorous multi-factor validation.\n\nFor more information on secure plugin development, you can consult the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP Top 10](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F) project.","The Login with NEAR plugin for WordPress (\u003C= 0.3.3) is vulnerable to an authentication bypass because its AJAX login handler, ajaxLoginWithNear(), fails to cryptographically verify account ownership. An unauthenticated attacker can log in as any user whose email follows the deterministic pattern '\u003Caccount>@near.org' simply by providing the account identifier in a POST request.","--- a\u002Fnear-login.php\n+++ b\u002Fnear-login.php\n@@ -1,15 +1,22 @@\n-add_action('wp_ajax_nopriv_near_login', 'ajaxLoginWithNear');\n+add_action('wp_ajax_nopriv_near_login', 'ajaxLoginWithNear');\n \n function ajaxLoginWithNear() {\n-    $account = $_POST['account'];\n-    if (strpos($account, '.near') !== false) {\n-        $email = $account . '@near.org';\n-        $user = get_user_by('email', $email);\n-        if ($user) {\n-            wp_set_auth_cookie($user->ID);\n-            wp_send_json_success();\n-        }\n-    }\n+    check_ajax_referer('near_login_nonce', 'security');\n+    \n+    $account = sanitize_text_field($_POST['account']);\n+    $signature = $_POST['signature']; \u002F\u002F Verification of ownership now required\n+    $public_key = $_POST['publicKey'];\n+    \n+    if (!verify_near_signature($account, $public_key, $signature)) {\n+        wp_send_json_error('Invalid authentication proof');\n+        wp_die();\n+    }\n+    \n+    $email = $account . '@near.org';\n+    $user = get_user_by('email', $email);\n+    \n+    if ($user) {\n+        wp_set_auth_cookie($user->ID);\n+        wp_send_json_success();\n+    }\n+    wp_die();\n }","An attacker targets the unauthenticated AJAX endpoint 'wp_ajax_nopriv_near_login' by sending a POST request to admin-ajax.php. By supplying an 'account' parameter that ends in '.near' and matches the prefix of a target user's email (e.g., 'admin.near' for 'admin.near@near.org'), the attacker exploits the lack of nonce and signature verification. The plugin identifies the user based on the string prefix and issues a valid authentication cookie, granting access to the account without any proof of wallet control.","gemini-3-flash-preview","2026-06-04 18:56:46","2026-06-04 18:57:16",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnear-login\u002Ftags"]