CVE-2026-48969

Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) <= 9.5.9 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
9.5.10
Patched in
6d
Time to patch

Description

The Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 9.5.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=9.5.9
PublishedJune 3, 2026
Last updatedJune 8, 2026
Affected pluginreally-simple-ssl

What Changed in the Fix

Changes introduced in v9.5.10

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-48969 ## 1. Vulnerability Summary **CVE-2026-48969** is a Missing Authorization vulnerability in the **Really Simple Security** (formerly Really Simple SSL) plugin (versions <= 9.5.9). The vulnerability exists because a specific function—likely an AJAX or RES…

Show full research plan

Exploitation Research Plan - CVE-2026-48969

1. Vulnerability Summary

CVE-2026-48969 is a Missing Authorization vulnerability in the Really Simple Security (formerly Really Simple SSL) plugin (versions <= 9.5.9). The vulnerability exists because a specific function—likely an AJAX or REST API handler used for managing security settings or 2FA—fails to perform a capability check (e.g., current_user_can('manage_options')). This allows any authenticated user with Subscriber privileges to execute administrative actions, such as toggling security hardening features or modifying plugin configurations.

2. Attack Vector Analysis

  • Endpoint: WordPress AJAX (/wp-admin/admin-ajax.php) or the WordPress REST API (/wp-json/really-simple-ssl/v1/...).
  • Action/Route: Based on the plugin's architecture, the target is likely one of the following:
    • AJAX Action: rsssl_save_settings or rsssl_toggle_hardening (inferred).
    • REST Route: really-simple-ssl/v1/settings (inferred).
  • Payload Parameter: Usually a JSON object or POST array containing setting keys and values (e.g., {"hardening_feature_id": "disable_xmlrpc", "value": false}).
  • Authentication: Authenticated, Subscriber-level access or higher.
  • Preconditions: The plugin must be active, and the attacker must have a valid Subscriber session.

3. Code Flow (Inferred)

  1. Registration: The plugin registers an AJAX handler using add_action( 'wp_ajax_rsssl_...', 'handler_function' ).
  2. Access: Because it is registered under wp_ajax_ (not wp_ajax_nopriv_), it is accessible to any logged-in user.
  3. The Flaw: Inside the handler_function, the code checks for a valid nonce (CSRF protection) but fails to check if the current user has the manage_options capability.
  4. Execution: The function proceeds to update the plugin's options in the wp_options table or modifies a user's security metadata.

4. Nonce Acquisition Strategy

The plugin localizes security data into the WordPress admin dashboard. Even Subscribers can often see the localized script objects if the plugin enqueues them on the profile page or a shared dashboard.

  1. Identify Script Object: The plugin uses the rsssl namespace. Based on assets/css/admin.css, the localization key is likely rsssl_settings or rsssl_admin.
  2. Shortcode/Page Trigger: To ensure the script is loaded, navigate to the Subscriber's profile page (/wp-admin/profile.php) or the plugin's dashboard if visible.
  3. Extraction:
    • Navigate to the dashboard using browser_navigate.
    • Execute JS to find the nonce:
      browser_eval("window.rsssl_settings?.nonce || window.rsssl_admin?.nonce")
      
  4. Action Check: Verify if the nonce action matches the verification string in the PHP (e.g., rsssl_nonce or rsssl_settings_nonce).

5. Exploitation Strategy

This plan targets the unauthorized modification of security hardening settings.

Step 1: Authentication

Log in as a Subscriber user to obtain a session cookie.

Step 2: Nonce Extraction

Use the browser_eval tool on any admin page where really-simple-ssl scripts are enqueued to extract the rsssl_nonce.

Step 3: Unauthorized Action (Example: Disabling a Hardening Feature)

Request:

  • Tool: http_request
  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=rsssl_save_settings&nonce=[EXTRACTED_NONCE]&settings={"disable_xmlrpc":0,"block_code_execution_uploads":0}
    
    (Note: Parameters names like disable_xmlrpc are inferred from the plugin's "Hardening" features visible in assets/css/admin/modules/dashboard.scss)

6. Test Data Setup

  1. Install Really Simple Security <= 9.5.9.
  2. Configure the plugin as an Administrator and enable several hardening features (e.g., "Disable Directory Browsing").
  3. Create a user with the Subscriber role.
  4. Ensure the "Hardening" features are active in the wp_options table (check rsssl_options).

7. Expected Results

  • Successful Exploit: The server returns a 200 OK or a JSON success message {"success": true}.
  • Impact: The security hardening features that were previously "Enabled" are now "Disabled" in the plugin settings, despite the request coming from a Subscriber.

8. Verification Steps

  1. WP-CLI Check:
    wp option get rsssl_options
    
    Verify that the hardening values have changed (e.g., 0 or false for the targeted features).
  2. Admin UI Check: Log in as an Administrator and navigate to the Really Simple Security Dashboard. Observe that the hardening features have been toggled off.

9. Alternative Approaches

If the rsssl_save_settings AJAX action is protected, target the REST API:

  • Endpoint: GET /wp-json/really-simple-ssl/v1/settings
  • Method: POST
  • Header: X-WP-Nonce: [EXTRACTED_NONCE] (Get this nonce using wp_create_nonce('wp_rest') context).
  • Logic: REST routes often have a permission_callback. If this returns __return_true or only checks is_user_logged_in(), the settings can be manipulated via a JSON POST request.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Really Simple Security plugin (formerly Really Simple SSL) for WordPress is vulnerable to unauthorized action execution in versions up to 9.5.9. Authenticated users with Subscriber-level privileges can perform administrative tasks, such as modifying plugin settings and disabling security hardening features, due to a missing capability check on server-side functions.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/really-simple-ssl/9.5.9/assets/css/admin/modules/buttons.scss /home/deploy/wp-safety.org/data/plugin-versions/really-simple-ssl/9.5.10/assets/css/admin/modules/buttons.scss
--- /home/deploy/wp-safety.org/data/plugin-versions/really-simple-ssl/9.5.9/assets/css/admin/modules/buttons.scss	2026-03-31 07:09:32.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/really-simple-ssl/9.5.10/assets/css/admin/modules/buttons.scss	2026-04-21 08:43:46.000000000 +0000
@@ -121,10 +121,6 @@
         margin-left: 0;
       }
 
-      .components-toggle-control {
-        margin-top: calc(12px);
-      }
-
       label {
         display: flex;
         align-items: center;
@@ -132,4 +128,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/really-simple-ssl/9.5.9/assets/css/admin/modules/dashboard.scss /home/deploy/wp-safety.org/data/plugin-versions/really-simple-ssl/9.5.10/assets/css/admin/modules/dashboard.scss
--- /home/deploy/wp-safety.org/data/plugin-versions/really-simple-ssl/9.5.9/assets/css/admin/modules/dashboard.scss	2026-03-31 07:09:32.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/really-simple-ssl/9.5.10/assets/css/admin/modules/dashboard.scss	2026-04-21 08:43:46.000000000 +0000
@@ -165,6 +165,7 @@
       &-item {
         .rsssl-badge{
           margin-top: var(--rsp-spacing-xxs);
+          color: var(--rsp-black);
         }
       }
     }
@@ -189,4 +190,4 @@
       background: var(--rsp-green);
     }
   }
-}
\ No newline at end of file
+}
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/really-simple-ssl/9.5.9/assets/css/admin/modules/wizard/mixed-content-scan.scss /home/deploy/wp-safety.org/data/plugin-versions/really-simple-ssl/9.5.10/assets/css/admin/modules/wizard/mixed-content-scan.scss
--- /home/deploy/wp-safety.org/data/plugin-versions/really-simple-ssl/9.5.9/assets/css/admin/modules/wizard/mixed-content-scan.scss	2026-03-31 07:09:32.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/really-simple-ssl/9.5.10/assets/css/admin/modules/wizard/mixed-content-scan.scss	2026-04-21 08:43:46.000000000 +0000
@@ -45,9 +45,31 @@
   .rsssl-grid-item-content-footer{
     display: flex;
     gap: var(--rsp-spacing-s);
+
+    .rsssl-show-ignored-urls-toggle {
+      display: flex;
+      align-items: center;
+      justify-content: center;
+
+      .components-base-control.components-toggle-control {
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        margin-top: 0;
+        margin-bottom: 0;
+
+        .components-base-control__field,
+        .components-flex {
+          display: flex;
+          align-items: center;
+          justify-content: center;
+          width: auto;
+        }
+      }
+    }
   }
   .rsssl-current-scan-action, .rsssl-mixed-content-description {
     margin:10px 5px;
     font-size: var(--rsp-fs-300);
   }
-}
\ No newline at end of file
+}
... (truncated)

Exploit Outline

To exploit this vulnerability, an attacker first obtains a valid session as a Subscriber-level user. They must then extract a security nonce (typically localized in the dashboard as part of the `rsssl_settings` or `rsssl_admin` JavaScript objects). Using this nonce, the attacker can send a POST request to the WordPress AJAX endpoint (`/wp-admin/admin-ajax.php`) with administrative actions such as `rsssl_save_settings`. The payload should contain the desired setting modifications (e.g., disabling specific hardening features). Because the vulnerable function verifies the nonce but fails to verify if the user possesses the `manage_options` capability, the unauthorized configuration changes are applied to the site.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.