How is CVE-2026-8293 exploited?

Network reachability (required): The attacker must reach the WordPress REST API over the network; the two vulnerable endpoints are externally accessible on any standard WordPress installation. Authentication (required): The attacker must possess a valid username and password for an existing WordPress account; any low-privilege account credential is sufficient to trigger the bypass. Victim interaction (not-required): No victim action is needed; the attacker sends crafted REST API requests directly without requiring any user to click a link or take any other step. Attack complexity (info): Attack complexity is rated High, meaning reliable exploitation may depend on environmental factors such as timing or specific server configuration, rather than being a fully condition-free exploit.

What is the impact of CVE-2026-8293?

Attacker obtains a valid WordPress session cookie for the targeted user account, gaining the same site access as that user. If the compromised account holds editor, administrator, or other elevated roles, the attacker can read all stored posts, pages, user data, and plugin configuration including API keys or credentials stored in site options. The attacker can modify or delete posts, pages, user accounts, and site settings, corrupting content or escalating to full site takeover by installing a malicious plugin. Administrative access enables the attacker to make the site unavailable by deleting core configuration, deactivating plugins, or injecting code that crashes PHP execution.

Back to search

HIGHCVE-2026-8293Published 2026-06-02Modified 2026-06-02CNA WPScan

CVE-2026-8293: Really Simple Security < 9.5.10.1 - Authentication Bypass via Two-Factor OTP Skip

Q: What is CVE-2026-8293?

Authentication bypass in the Really Simple Security WordPress plugin (versions before 9.5.10.1) allows an attacker who already knows a user's password to skip the email one-time-password step entirely by sending crafted requests to two unprotected REST API endpoints. The attack is reachable over the network, requires a low-privilege account (at minimum, a valid username and password), and needs no victim interaction. Successful exploitation gives the attacker a full WordPress authentication session, enabling complete read, write, and availability impact on the target site. A patched-image rebuild at version 9.5.10.1 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-8293 fixed?

A patched-image rebuild pinned to Really Simple Security version 9.5.10.1 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker who knows a user's password to obtain a WordPress authentication session for that user without completing the email OTP challenge.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 9.5.10.1
Affected Products: 1

HarborGuard Analysis

Synopsis

Authentication bypass in the Really Simple Security WordPress plugin (versions before 9.5.10.1) allows an attacker who already knows a user's password to skip the email one-time-password step entirely by sending crafted requests to two unprotected REST API endpoints. The attack is reachable over the network, requires a low-privilege account (at minimum, a valid username and password), and needs no victim interaction. Successful exploitation gives the attacker a full WordPress authentication session, enabling complete read, write, and availability impact on the target site. A patched-image rebuild at version 9.5.10.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-8293 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including WPScan) within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the Really Simple Security plugin. Coverage extends to any image layer where the plugin files are present, not just base images.

Available

Triage

Triage is available using the CVSS v3.1 score of 7.5 (HIGH), with per-environment compliance policy weighting applied to prioritize findings based on each customer organization's risk thresholds. Matched findings are routable to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild pinned to Really Simple Security version 9.5.10.1 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress REST API over the network; the two vulnerable endpoints are externally accessible on any standard WordPress installation.
AuthenticationRequired
The attacker must possess a valid username and password for an existing WordPress account; any low-privilege account credential is sufficient to trigger the bypass.
Victim interactionNot required
No victim action is needed; the attacker sends crafted REST API requests directly without requiring any user to click a link or take any other step.
Attack complexityDetail
Attack complexity is rated High, meaning reliable exploitation may depend on environmental factors such as timing or specific server configuration, rather than being a fully condition-free exploit.

Blast Radius

Attacker obtains a valid WordPress session cookie for the targeted user account, gaining the same site access as that user.
If the compromised account holds editor, administrator, or other elevated roles, the attacker can read all stored posts, pages, user data, and plugin configuration including API keys or credentials stored in site options.
The attacker can modify or delete posts, pages, user accounts, and site settings, corrupting content or escalating to full site takeover by installing a malicious plugin.
Administrative access enables the attacker to make the site unavailable by deleting core configuration, deactivating plugins, or injecting code that crashes PHP execution.

How HarborGuard Handles This

Available on HarborGuard: detection is matched against every image in a customer's registry and CI pipeline within minutes of the advisory being ingested, covering custom-built WordPress images that bundle the Really Simple Security plugin at any affected version below 9.5.10.1. For environments where an affected image is identified, a rebuilt image pinned to version 9.5.10.1 is available immediately. Where compliance policy permits auto-remediation, HarborGuard can rebuild the image, execute a regression test run against the patched artifact, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Teams that cannot apply the patch immediately should consider restricting external access to WordPress REST API endpoints (specifically the two-factor authentication routes) via network policy or a web application firewall rule as a compensating control until the upgraded image is promoted to production.

See how HarborGuard automates this

Fix available

9.5.10.1

Affected packages

Unknown / Really Simple Security
< 9.5.10.1 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

wpscan.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available