CVE-2026-48969
Deferred Deferred - Pending Action

Subscriber Broken Access Control in Really Simple SSL

Vulnerability report for CVE-2026-48969, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: Patchstack

Description

Subscriber Broken Access Control in Really Simple SSL <= 9.5.9 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-07-06
AI Q&A
2026-06-15
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
really_simple_ssl really_simple_ssl to 9.5.10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-48969 is a Broken Access Control vulnerability found in the WordPress Really Simple SSL Plugin versions 9.5.9 and earlier.

The flaw occurs due to missing authorization, authentication, or nonce token checks, which allows unprivileged users to perform actions that should require higher privileges.

This vulnerability is classified under OWASP Top 10 A1: Broken Access Control and has a medium priority with a CVSS score of 6.5.

Impact Analysis

This vulnerability can allow attackers or unprivileged users to perform higher-privileged actions within the Really Simple SSL plugin, potentially compromising the security of your WordPress site.

Because the flaw is exploitable without user interaction and has a network attack vector, it can be used in mass campaigns targeting thousands of websites.

Exploitation could lead to unauthorized changes or control over SSL settings, which may affect site security and trust.

Detection Guidance

The vulnerability arises from missing authorization, authentication, or nonce token checks in Really Simple SSL Plugin versions 9.5.9 and earlier, allowing unprivileged users to perform higher-privileged actions.

Detection can involve monitoring for unusual or unauthorized access attempts to privileged functions of the plugin, especially requests that should require authentication but are accepted without it.

Specific commands are not provided in the available resources, but general approaches include reviewing web server logs for suspicious requests targeting Really Simple SSL plugin endpoints and using tools like curl or wget to test access control by attempting to access privileged plugin functions without proper authentication.

Mitigation Strategies

The immediate recommended step is to update the Really Simple SSL Plugin to version 9.5.10 or later, where the vulnerability is patched.

Until the update can be applied, users are advised to implement the mitigation rule issued by Patchstack to block attacks targeting this vulnerability.

Additionally, seeking assistance from hosting providers or developers to apply these mitigations or updates is recommended.

Compliance Impact

The vulnerability in Really Simple SSL Plugin versions 9.5.9 and earlier is a Broken Access Control issue that allows unprivileged users to perform higher-privileged actions due to missing authorization and authentication checks.

Such unauthorized access can lead to potential data integrity issues and unauthorized modification of information, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and protection of sensitive data.

However, the provided information does not explicitly detail the direct effects on compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48969. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart