CVE-2026-8994
Deferred Deferred - Pending Action
Authentication Bypass in Login with NEAR WordPress Plugin

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Wordfence

Description
The Login with NEAR plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.3.3. The `ajaxLoginWithNear()` function β€” registered as a `wp_ajax_nopriv` action and therefore reachable by unauthenticated users β€” accepts an attacker-supplied `account` POST parameter and issues a valid WordPress authentication cookie based solely on a substring check for `.near`, with no nonce verification, cryptographic signature validation, challenge-response exchange, or any proof that the requester controls the corresponding NEAR wallet. This makes it possible for unauthenticated attackers to log in as any existing WordPress user, including administrators, whose email address matches the deterministic `<account>@near.org` pattern derived from the supplied `account` value. If no matching user exists, the handler automatically creates and authenticates a new WordPress account for the attacker-controlled identifier, providing a further avenue for unauthorized account creation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-8994
EUVD
EUVD-2026-32094
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
near login_with_near to 0.3.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Login with NEAR plugin for WordPress has an authentication bypass vulnerability in all versions up to 0.3.3. The vulnerable function, ajaxLoginWithNear(), is accessible to unauthenticated users and accepts an attacker-supplied account parameter. It issues a valid WordPress authentication cookie based only on a substring check for '.near' without verifying any nonce, cryptographic signature, or proof of wallet control.

This flaw allows attackers to log in as any existing WordPress user whose email matches the pattern <account>@near.org, including administrators. If no matching user exists, the plugin automatically creates and authenticates a new account for the attacker, enabling unauthorized account creation.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to WordPress accounts, even those with administrative privileges. Attackers can bypass authentication controls without any proof of identity or wallet ownership.

It also allows attackers to create new accounts without authorization, potentially leading to further exploitation, data breaches, or site compromise.

  • Unauthorized administrative access
  • Unauthorized account creation
  • Potential full site compromise
Detection Guidance

This vulnerability can be detected by monitoring for unauthorized login attempts using the ajaxLoginWithNear() function, which accepts an 'account' POST parameter containing '.near'. Detection involves checking for suspicious POST requests to the WordPress AJAX endpoint with parameters matching the pattern of an account containing '.near'.

You can use network monitoring tools or web server logs to identify such requests. For example, using command-line tools like grep on your web server logs to find POST requests containing '.near' in the 'account' parameter may help detect exploitation attempts.

  • grep -i 'account=.*\.near' /path/to/wordpress/wp-content/debug.log
  • grep -i 'account=.*\.near' /var/log/apache2/access.log
  • grep -i 'account=.*\.near' /var/log/nginx/access.log

Additionally, monitoring for new user creation events with usernames or emails matching the pattern '<account>@near.org' can help detect unauthorized account creation attempts.

Mitigation Strategies

Immediate mitigation steps include updating the Login with NEAR plugin to a version later than 0.3.3 where the vulnerability is fixed.

If an update is not immediately available, temporarily disabling or removing the vulnerable plugin will prevent exploitation.

Additionally, monitoring and restricting access to the ajaxLoginWithNear() endpoint, such as by implementing firewall rules or web application firewall (WAF) rules to block suspicious requests containing '.near' in the 'account' parameter, can reduce risk.

Review and audit user accounts for any unauthorized accounts created with the '@near.org' email pattern and remove them.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8994. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart