[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7BI3SVhssQI-v-2UiBgGZdiPCGwlM7qcsj_i2Bb8po8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-48969","really-simple-security-simple-and-performant-security-formerly-really-simple-ssl-missing-authorization-3","Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) \u003C= 9.5.9 - Missing Authorization","The Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 9.5.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","really-simple-ssl",null,"\u003C=9.5.9","9.5.10","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-03 00:00:00","2026-06-08 14:32:54",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff5c122a5-20d0-450f-aec6-fc7cfc9cc6dc?source=api-prod",6,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fadmin.css","assets\u002Fcss\u002Fadmin.min.css","assets\u002Fcss\u002Fadmin\u002Fmodules\u002Fbuttons.scss","assets\u002Fcss\u002Fadmin\u002Fmodules\u002Fdashboard.scss","assets\u002Fcss\u002Fadmin\u002Fmodules\u002Fwizard\u002Fmixed-content-scan.scss","assets\u002Fcss\u002Frtl\u002Fadmin.css","assets\u002Fcss\u002Frtl\u002Fadmin.min.css","assets\u002Ffeatures\u002Ftwo-fa\u002Fstyles.css","researched",false,3,"# Exploitation Research Plan - CVE-2026-48969\n\n## 1. Vulnerability Summary\n**CVE-2026-48969** is a Missing Authorization vulnerability in the **Really Simple Security** (formerly Really Simple SSL) plugin (versions \u003C= 9.5.9). The vulnerability exists because a specific function—likely an AJAX or REST API handler used for managing security settings or 2FA—fails to perform a capability check (e.g., `current_user_can('manage_options')`). This allows any authenticated user with **Subscriber** privileges to execute administrative actions, such as toggling security hardening features or modifying plugin configurations.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress AJAX (`\u002Fwp-admin\u002Fadmin-ajax.php`) or the WordPress REST API (`\u002Fwp-json\u002Freally-simple-ssl\u002Fv1\u002F...`).\n*   **Action\u002FRoute:** Based on the plugin's architecture, the target is likely one of the following:\n    *   AJAX Action: `rsssl_save_settings` or `rsssl_toggle_hardening` (inferred).\n    *   REST Route: `really-simple-ssl\u002Fv1\u002Fsettings` (inferred).\n*   **Payload Parameter:** Usually a JSON object or POST array containing setting keys and values (e.g., `{\"hardening_feature_id\": \"disable_xmlrpc\", \"value\": false}`).\n*   **Authentication:** Authenticated, Subscriber-level access or higher.\n*   **Preconditions:** The plugin must be active, and the attacker must have a valid Subscriber session.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers an AJAX handler using `add_action( 'wp_ajax_rsssl_...', 'handler_function' )`.\n2.  **Access:** Because it is registered under `wp_ajax_` (not `wp_ajax_nopriv_`), it is accessible to any logged-in user.\n3.  **The Flaw:** Inside the `handler_function`, the code checks for a valid **nonce** (CSRF protection) but fails to check if the current user has the `manage_options` capability.\n4.  **Execution:** The function proceeds to update the plugin's options in the `wp_options` table or modifies a user's security metadata.\n\n## 4. Nonce Acquisition Strategy\nThe plugin localizes security data into the WordPress admin dashboard. Even Subscribers can often see the localized script objects if the plugin enqueues them on the profile page or a shared dashboard.\n\n1.  **Identify Script Object:** The plugin uses the `rsssl` namespace. Based on `assets\u002Fcss\u002Fadmin.css`, the localization key is likely `rsssl_settings` or `rsssl_admin`.\n2.  **Shortcode\u002FPage Trigger:** To ensure the script is loaded, navigate to the Subscriber's profile page (`\u002Fwp-admin\u002Fprofile.php`) or the plugin's dashboard if visible.\n3.  **Extraction:**\n    *   Navigate to the dashboard using `browser_navigate`.\n    *   Execute JS to find the nonce: \n        ```javascript\n        browser_eval(\"window.rsssl_settings?.nonce || window.rsssl_admin?.nonce\")\n        ```\n4.  **Action Check:** Verify if the nonce action matches the verification string in the PHP (e.g., `rsssl_nonce` or `rsssl_settings_nonce`).\n\n## 5. Exploitation Strategy\nThis plan targets the unauthorized modification of security hardening settings.\n\n### Step 1: Authentication\nLog in as a Subscriber user to obtain a session cookie.\n\n### Step 2: Nonce Extraction\nUse the `browser_eval` tool on any admin page where `really-simple-ssl` scripts are enqueued to extract the `rsssl_nonce`.\n\n### Step 3: Unauthorized Action (Example: Disabling a Hardening Feature)\n**Request:**\n*   **Tool:** `http_request`\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```text\n    action=rsssl_save_settings&nonce=[EXTRACTED_NONCE]&settings={\"disable_xmlrpc\":0,\"block_code_execution_uploads\":0}\n    ```\n    *(Note: Parameters names like `disable_xmlrpc` are inferred from the plugin's \"Hardening\" features visible in `assets\u002Fcss\u002Fadmin\u002Fmodules\u002Fdashboard.scss`)*\n\n## 6. Test Data Setup\n1.  Install **Really Simple Security** \u003C= 9.5.9.\n2.  Configure the plugin as an Administrator and **enable** several hardening features (e.g., \"Disable Directory Browsing\").\n3.  Create a user with the **Subscriber** role.\n4.  Ensure the \"Hardening\" features are active in the `wp_options` table (check `rsssl_options`).\n\n## 7. Expected Results\n*   **Successful Exploit:** The server returns a `200 OK` or a JSON success message `{\"success\": true}`. \n*   **Impact:** The security hardening features that were previously \"Enabled\" are now \"Disabled\" in the plugin settings, despite the request coming from a Subscriber.\n\n## 8. Verification Steps\n1.  **WP-CLI Check:**\n    ```bash\n    wp option get rsssl_options\n    ```\n    Verify that the hardening values have changed (e.g., `0` or `false` for the targeted features).\n2.  **Admin UI Check:** Log in as an Administrator and navigate to the Really Simple Security Dashboard. Observe that the hardening features have been toggled off.\n\n## 9. Alternative Approaches\nIf the `rsssl_save_settings` AJAX action is protected, target the **REST API**:\n*   **Endpoint:** `GET \u002Fwp-json\u002Freally-simple-ssl\u002Fv1\u002Fsettings`\n*   **Method:** `POST`\n*   **Header:** `X-WP-Nonce: [EXTRACTED_NONCE]` (Get this nonce using `wp_create_nonce('wp_rest')` context).\n*   **Logic:** REST routes often have a `permission_callback`. If this returns `__return_true` or only checks `is_user_logged_in()`, the settings can be manipulated via a JSON POST request.","The Really Simple Security plugin (formerly Really Simple SSL) for WordPress is vulnerable to unauthorized action execution in versions up to 9.5.9. Authenticated users with Subscriber-level privileges can perform administrative tasks, such as modifying plugin settings and disabling security hardening features, due to a missing capability check on server-side functions.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freally-simple-ssl\u002F9.5.9\u002Fassets\u002Fcss\u002Fadmin\u002Fmodules\u002Fbuttons.scss \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freally-simple-ssl\u002F9.5.10\u002Fassets\u002Fcss\u002Fadmin\u002Fmodules\u002Fbuttons.scss\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freally-simple-ssl\u002F9.5.9\u002Fassets\u002Fcss\u002Fadmin\u002Fmodules\u002Fbuttons.scss\t2026-03-31 07:09:32.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freally-simple-ssl\u002F9.5.10\u002Fassets\u002Fcss\u002Fadmin\u002Fmodules\u002Fbuttons.scss\t2026-04-21 08:43:46.000000000 +0000\n@@ -121,10 +121,6 @@\n         margin-left: 0;\n       }\n \n-      .components-toggle-control {\n-        margin-top: calc(12px);\n-      }\n-\n       label {\n         display: flex;\n         align-items: center;\n@@ -132,4 +128,4 @@\n       }\n     }\n   }\n-}\n\\ No newline at end of file\n+}\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freally-simple-ssl\u002F9.5.9\u002Fassets\u002Fcss\u002Fadmin\u002Fmodules\u002Fdashboard.scss \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freally-simple-ssl\u002F9.5.10\u002Fassets\u002Fcss\u002Fadmin\u002Fmodules\u002Fdashboard.scss\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freally-simple-ssl\u002F9.5.9\u002Fassets\u002Fcss\u002Fadmin\u002Fmodules\u002Fdashboard.scss\t2026-03-31 07:09:32.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freally-simple-ssl\u002F9.5.10\u002Fassets\u002Fcss\u002Fadmin\u002Fmodules\u002Fdashboard.scss\t2026-04-21 08:43:46.000000000 +0000\n@@ -165,6 +165,7 @@\n       &-item {\n         .rsssl-badge{\n           margin-top: var(--rsp-spacing-xxs);\n+          color: var(--rsp-black);\n         }\n       }\n     }\n@@ -189,4 +190,4 @@\n       background: var(--rsp-green);\n     }\n   }\n-}\n\\ No newline at end of file\n+}\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freally-simple-ssl\u002F9.5.9\u002Fassets\u002Fcss\u002Fadmin\u002Fmodules\u002Fwizard\u002Fmixed-content-scan.scss \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freally-simple-ssl\u002F9.5.10\u002Fassets\u002Fcss\u002Fadmin\u002Fmodules\u002Fwizard\u002Fmixed-content-scan.scss\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freally-simple-ssl\u002F9.5.9\u002Fassets\u002Fcss\u002Fadmin\u002Fmodules\u002Fwizard\u002Fmixed-content-scan.scss\t2026-03-31 07:09:32.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Freally-simple-ssl\u002F9.5.10\u002Fassets\u002Fcss\u002Fadmin\u002Fmodules\u002Fwizard\u002Fmixed-content-scan.scss\t2026-04-21 08:43:46.000000000 +0000\n@@ -45,9 +45,31 @@\n   .rsssl-grid-item-content-footer{\n     display: flex;\n     gap: var(--rsp-spacing-s);\n+\n+    .rsssl-show-ignored-urls-toggle {\n+      display: flex;\n+      align-items: center;\n+      justify-content: center;\n+\n+      .components-base-control.components-toggle-control {\n+        display: flex;\n+        align-items: center;\n+        justify-content: center;\n+        margin-top: 0;\n+        margin-bottom: 0;\n+\n+        .components-base-control__field,\n+        .components-flex {\n+          display: flex;\n+          align-items: center;\n+          justify-content: center;\n+          width: auto;\n+        }\n+      }\n+    }\n   }\n   .rsssl-current-scan-action, .rsssl-mixed-content-description {\n     margin:10px 5px;\n     font-size: var(--rsp-fs-300);\n   }\n-}\n\\ No newline at end of file\n+}\n... (truncated)","To exploit this vulnerability, an attacker first obtains a valid session as a Subscriber-level user. They must then extract a security nonce (typically localized in the dashboard as part of the `rsssl_settings` or `rsssl_admin` JavaScript objects). Using this nonce, the attacker can send a POST request to the WordPress AJAX endpoint (`\u002Fwp-admin\u002Fadmin-ajax.php`) with administrative actions such as `rsssl_save_settings`. The payload should contain the desired setting modifications (e.g., disabling specific hardening features). Because the vulnerable function verifies the nonce but fails to verify if the user possesses the `manage_options` capability, the unauthorized configuration changes are applied to the site.","gemini-3-flash-preview","2026-06-26 05:36:20","2026-06-26 05:37:10",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","9.5.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freally-simple-ssl\u002Ftags\u002F9.5.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Freally-simple-ssl.9.5.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freally-simple-ssl\u002Ftags\u002F9.5.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Freally-simple-ssl.9.5.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freally-simple-ssl\u002Ftags"]