WP-Safety
CVE-2026-32461

Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) <= 9.5.7 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
9.5.8
Patched in
5d
Time to patch

Description

The Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 9.5.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=9.5.7
PublishedMarch 15, 2026
Last updatedMarch 19, 2026
Affected pluginreally-simple-ssl

What Changed in the Fix

Changes introduced in v9.5.8

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v9.5.7
Browse source Download .zip
Patched v9.5.8
Browse source Download .zip
Research Plan
Unverified

dismiss_review_notice` * Nonce: `rsssl_dismiss_review_notice` (action string) * Variable: `rsssl_admin.nonce` * Actually, I'll provide a plan for both the AJAX and the `admin_init` paths. 1. **Vulnerability**: Missing capability check in `dismiss_review_notice_callback` (AJA…

Show full research plan

dismiss_review_notice * Nonce:rsssl_dismiss_review_notice(action string) * Variable:rsssl_admin.nonce`

*   Actually, I'll provide a plan for both the AJAX and the `admin_init` paths.

1.  **Vulnerability**: Missing capability check in `dismiss_review_notice_callback` (AJAX) and `maybe_dismiss_review_notice` (`admin_init`).
2.  **Vector**:
    *   AJAX: `action=rsssl_dismiss_review_notice`
    *   GET: `?rsssl_dismiss_review_notice=1` (or similar)
3.  **Authentication**: Subscriber.
4.  **Impact**: Attacker can dismiss important security/review notices for all administrators.

Wait, let's look for one more thing.
Is there anything in `class-mixed-content-fixer.php`?
No, that just handles output buffering.

Wait, I see `autoFixHtaccess` again.
```php
public function autoFixHtaccess() {
    if ( ! rsssl_user_can_manage() ) {
        return;
    }
    if (get_option('rsssl_upgrade_firewall', false ) == true) {
        do_action('rsssl_update_rules');
        update_option('rsssl_upgrade_
Research Findings
Static analysis — not yet PoC-verified

Summary

The Really Simple Security plugin (formerly Really Simple SSL) for WordPress is vulnerable to unauthorized access because it lacks capability checks on functions used to dismiss administrative review notices. This allows authenticated attackers with Subscriber-level access or higher to dismiss site-wide notifications intended for administrators.

Vulnerable Code

// class-admin.php line 70
add_action( 'admin_init', array( $this, 'maybe_dismiss_review_notice' ) );

// class-admin.php line 82
add_action( 'wp_ajax_rsssl_dismiss_review_notice', array( $this, 'dismiss_review_notice_callback' ) );

---

// Within class-admin.php (inferred from research plan as function bodies were truncated)
public function maybe_dismiss_review_notice() {
    if ( isset( $_GET['rsssl_dismiss_review_notice'] ) ) {
        // Missing authorization and nonce check
        update_option( 'rsssl_review_notice_dismissed', true );
    }
}

public function dismiss_review_notice_callback() {
    // Missing authorization check
    check_ajax_referer( 'rsssl_dismiss_review_notice', 'nonce' );
    update_option( 'rsssl_review_notice_dismissed', true );
    wp_die();
}

Security Fix

--- a/class-admin.php
+++ b/class-admin.php
@@ -1,6 +1,6 @@
 	public function maybe_dismiss_review_notice() {
-		if ( isset( $_GET['rsssl_dismiss_review_notice'] ) ) {
+		if ( isset( $_GET['rsssl_dismiss_review_notice'] ) && rsssl_user_can_manage() ) {
 			update_option( 'rsssl_review_notice_dismissed', true );
 		}
 	}
@@ -1,6 +1,9 @@
 	public function dismiss_review_notice_callback() {
+		if ( ! rsssl_user_can_manage() ) {
+			return;
+		}
 		check_ajax_referer( 'rsssl_dismiss_review_notice', 'nonce' );
 		update_option( 'rsssl_review_notice_dismissed', true );
 		wp_die();
 	}

Exploit Outline

The exploit target functions hooked to 'admin_init' and 'wp_ajax_rsssl_dismiss_review_notice' which run for all authenticated users. An attacker with Subscriber-level privileges can trigger the unauthorized action in two ways: 1. AJAX Vector: Send a POST request to wp-admin/admin-ajax.php with the 'action' set to 'rsssl_dismiss_review_notice' and a valid 'nonce' (often leaked in the admin dashboard source code for all logged-in users). 2. GET Vector: Access any administrative URL with the parameter '?rsssl_dismiss_review_notice=1'. Successful execution updates the 'rsssl_review_notice_dismissed' option in the database to 'true', effectively hiding the review notice for all actual site administrators.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/68504f49-0b18-4010-97b0-7e7391408d36?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database