CVE-2026-8994
Authentication Bypass in Login with NEAR WordPress Plugin
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| near | login_with_near | to 0.3.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Login with NEAR plugin for WordPress has an authentication bypass vulnerability in all versions up to 0.3.3. The vulnerable function, ajaxLoginWithNear(), is accessible to unauthenticated users and accepts an attacker-supplied account parameter. It issues a valid WordPress authentication cookie based only on a substring check for '.near' without verifying any nonce, cryptographic signature, or proof of wallet control.
This flaw allows attackers to log in as any existing WordPress user whose email matches the pattern <account>@near.org, including administrators. If no matching user exists, the plugin automatically creates and authenticates a new account for the attacker, enabling unauthorized account creation.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to WordPress accounts, even those with administrative privileges. Attackers can bypass authentication controls without any proof of identity or wallet ownership.
It also allows attackers to create new accounts without authorization, potentially leading to further exploitation, data breaches, or site compromise.
- Unauthorized administrative access
- Unauthorized account creation
- Potential full site compromise
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized login attempts using the ajaxLoginWithNear() function, which accepts an 'account' POST parameter containing '.near'. Detection involves checking for suspicious POST requests to the WordPress AJAX endpoint with parameters matching the pattern of an account containing '.near'.
You can use network monitoring tools or web server logs to identify such requests. For example, using command-line tools like grep on your web server logs to find POST requests containing '.near' in the 'account' parameter may help detect exploitation attempts.
- grep -i 'account=.*\.near' /path/to/wordpress/wp-content/debug.log
- grep -i 'account=.*\.near' /var/log/apache2/access.log
- grep -i 'account=.*\.near' /var/log/nginx/access.log
Additionally, monitoring for new user creation events with usernames or emails matching the pattern '<account>@near.org' can help detect unauthorized account creation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Login with NEAR plugin to a version later than 0.3.3 where the vulnerability is fixed.
If an update is not immediately available, temporarily disabling or removing the vulnerable plugin will prevent exploitation.
Additionally, monitoring and restricting access to the ajaxLoginWithNear() endpoint, such as by implementing firewall rules or web application firewall (WAF) rules to block suspicious requests containing '.near' in the 'account' parameter, can reduce risk.
Review and audit user accounts for any unauthorized accounts created with the '@near.org' email pattern and remove them.