Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) <= 9.5.9 - Missing Authorization
Description
The Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 9.5.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=9.5.9What Changed in the Fix
Changes introduced in v9.5.10
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-48969 ## 1. Vulnerability Summary **CVE-2026-48969** is a Missing Authorization vulnerability in the **Really Simple Security** (formerly Really Simple SSL) plugin (versions <= 9.5.9). The vulnerability exists because a specific function—likely an AJAX or RES…
Show full research plan
Exploitation Research Plan - CVE-2026-48969
1. Vulnerability Summary
CVE-2026-48969 is a Missing Authorization vulnerability in the Really Simple Security (formerly Really Simple SSL) plugin (versions <= 9.5.9). The vulnerability exists because a specific function—likely an AJAX or REST API handler used for managing security settings or 2FA—fails to perform a capability check (e.g., current_user_can('manage_options')). This allows any authenticated user with Subscriber privileges to execute administrative actions, such as toggling security hardening features or modifying plugin configurations.
2. Attack Vector Analysis
- Endpoint: WordPress AJAX (
/wp-admin/admin-ajax.php) or the WordPress REST API (/wp-json/really-simple-ssl/v1/...). - Action/Route: Based on the plugin's architecture, the target is likely one of the following:
- AJAX Action:
rsssl_save_settingsorrsssl_toggle_hardening(inferred). - REST Route:
really-simple-ssl/v1/settings(inferred).
- AJAX Action:
- Payload Parameter: Usually a JSON object or POST array containing setting keys and values (e.g.,
{"hardening_feature_id": "disable_xmlrpc", "value": false}). - Authentication: Authenticated, Subscriber-level access or higher.
- Preconditions: The plugin must be active, and the attacker must have a valid Subscriber session.
3. Code Flow (Inferred)
- Registration: The plugin registers an AJAX handler using
add_action( 'wp_ajax_rsssl_...', 'handler_function' ). - Access: Because it is registered under
wp_ajax_(notwp_ajax_nopriv_), it is accessible to any logged-in user. - The Flaw: Inside the
handler_function, the code checks for a valid nonce (CSRF protection) but fails to check if the current user has themanage_optionscapability. - Execution: The function proceeds to update the plugin's options in the
wp_optionstable or modifies a user's security metadata.
4. Nonce Acquisition Strategy
The plugin localizes security data into the WordPress admin dashboard. Even Subscribers can often see the localized script objects if the plugin enqueues them on the profile page or a shared dashboard.
- Identify Script Object: The plugin uses the
rssslnamespace. Based onassets/css/admin.css, the localization key is likelyrsssl_settingsorrsssl_admin. - Shortcode/Page Trigger: To ensure the script is loaded, navigate to the Subscriber's profile page (
/wp-admin/profile.php) or the plugin's dashboard if visible. - Extraction:
- Navigate to the dashboard using
browser_navigate. - Execute JS to find the nonce:
browser_eval("window.rsssl_settings?.nonce || window.rsssl_admin?.nonce")
- Navigate to the dashboard using
- Action Check: Verify if the nonce action matches the verification string in the PHP (e.g.,
rsssl_nonceorrsssl_settings_nonce).
5. Exploitation Strategy
This plan targets the unauthorized modification of security hardening settings.
Step 1: Authentication
Log in as a Subscriber user to obtain a session cookie.
Step 2: Nonce Extraction
Use the browser_eval tool on any admin page where really-simple-ssl scripts are enqueued to extract the rsssl_nonce.
Step 3: Unauthorized Action (Example: Disabling a Hardening Feature)
Request:
- Tool:
http_request - Method:
POST - URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
(Note: Parameters names likeaction=rsssl_save_settings&nonce=[EXTRACTED_NONCE]&settings={"disable_xmlrpc":0,"block_code_execution_uploads":0}disable_xmlrpcare inferred from the plugin's "Hardening" features visible inassets/css/admin/modules/dashboard.scss)
6. Test Data Setup
- Install Really Simple Security <= 9.5.9.
- Configure the plugin as an Administrator and enable several hardening features (e.g., "Disable Directory Browsing").
- Create a user with the Subscriber role.
- Ensure the "Hardening" features are active in the
wp_optionstable (checkrsssl_options).
7. Expected Results
- Successful Exploit: The server returns a
200 OKor a JSON success message{"success": true}. - Impact: The security hardening features that were previously "Enabled" are now "Disabled" in the plugin settings, despite the request coming from a Subscriber.
8. Verification Steps
- WP-CLI Check:
Verify that the hardening values have changed (e.g.,wp option get rsssl_options0orfalsefor the targeted features). - Admin UI Check: Log in as an Administrator and navigate to the Really Simple Security Dashboard. Observe that the hardening features have been toggled off.
9. Alternative Approaches
If the rsssl_save_settings AJAX action is protected, target the REST API:
- Endpoint:
GET /wp-json/really-simple-ssl/v1/settings - Method:
POST - Header:
X-WP-Nonce: [EXTRACTED_NONCE](Get this nonce usingwp_create_nonce('wp_rest')context). - Logic: REST routes often have a
permission_callback. If this returns__return_trueor only checksis_user_logged_in(), the settings can be manipulated via a JSON POST request.
Summary
The Really Simple Security plugin (formerly Really Simple SSL) for WordPress is vulnerable to unauthorized action execution in versions up to 9.5.9. Authenticated users with Subscriber-level privileges can perform administrative tasks, such as modifying plugin settings and disabling security hardening features, due to a missing capability check on server-side functions.
Security Fix
@@ -121,10 +121,6 @@ margin-left: 0; } - .components-toggle-control { - margin-top: calc(12px); - } - label { display: flex; align-items: center; @@ -132,4 +128,4 @@ } } } -} \ No newline at end of file +} @@ -165,6 +165,7 @@ &-item { .rsssl-badge{ margin-top: var(--rsp-spacing-xxs); + color: var(--rsp-black); } } } @@ -189,4 +190,4 @@ background: var(--rsp-green); } } -} \ No newline at end of file +} @@ -45,9 +45,31 @@ .rsssl-grid-item-content-footer{ display: flex; gap: var(--rsp-spacing-s); + + .rsssl-show-ignored-urls-toggle { + display: flex; + align-items: center; + justify-content: center; + + .components-base-control.components-toggle-control { + display: flex; + align-items: center; + justify-content: center; + margin-top: 0; + margin-bottom: 0; + + .components-base-control__field, + .components-flex { + display: flex; + align-items: center; + justify-content: center; + width: auto; + } + } + } } .rsssl-current-scan-action, .rsssl-mixed-content-description { margin:10px 5px; font-size: var(--rsp-fs-300); } -} \ No newline at end of file +} ... (truncated)
Exploit Outline
To exploit this vulnerability, an attacker first obtains a valid session as a Subscriber-level user. They must then extract a security nonce (typically localized in the dashboard as part of the `rsssl_settings` or `rsssl_admin` JavaScript objects). Using this nonce, the attacker can send a POST request to the WordPress AJAX endpoint (`/wp-admin/admin-ajax.php`) with administrative actions such as `rsssl_save_settings`. The payload should contain the desired setting modifications (e.g., disabling specific hardening features). Because the vulnerable function verifies the nonce but fails to verify if the user possesses the `manage_options` capability, the unauthorized configuration changes are applied to the site.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.