CVE-2026-8293
Really Simple Security WordPress Plugin Missing Second-Factor Authentication Bypass
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| really_simple_security | really_simple_security | to 9.5.10.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2026-8293 affects the Really Simple Security WordPress plugin versions before 9.5.10.1. It allows an attacker who knows a user's password to bypass the two-factor authentication (2FA) mechanism by exploiting two unprotected REST endpoints.
Normally, after entering a password, a user must complete a second-factor challenge via an email one-time password (OTP). However, due to this vulnerability, the attacker can skip this email OTP challenge and still obtain a valid WordPress authentication session.
The attacker achieves this by submitting the username and password to the login page, capturing the login nonce and user ID, and then replaying these values against the vulnerable endpoints `/wp-json/really-simple-security/v1/two-fa/v2/do_not_ask_again` or `/wp-json/really-simple-security/v1/two-fa/v2/skip_onboarding`.
How can this vulnerability impact me? :
This vulnerability can allow an attacker who already knows a user's password to bypass the second-factor authentication and gain unauthorized access to the user's WordPress account.
As a result, the attacker can impersonate the user, potentially accessing sensitive information, modifying content, or performing administrative actions depending on the user's privileges.
This increases the risk of account compromise, data breaches, and unauthorized changes within the affected WordPress site.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious use of the vulnerable REST endpoints related to two-factor authentication bypass in the Really Simple Security plugin. Specifically, look for requests to the endpoints `/wp-json/really-simple-security/v1/two-fa/v2/do_not_ask_again` or `/wp-json/really-simple-security/v1/two-fa/v2/skip_onboarding`.
You can use network monitoring tools or web server logs to identify POST requests to these endpoints. For example, using command line tools like curl or grep on server logs:
- Check web server logs for suspicious POST requests: `grep -E 'POST.*(do_not_ask_again|skip_onboarding)' /var/log/apache2/access.log`
- Use curl to test if the endpoints are accessible (replace example.com with your domain): `curl -X POST https://example.com/wp-json/really-simple-security/v1/two-fa/v2/do_not_ask_again`
- Monitor for authentication sessions created without completing the email OTP challenge, which may require custom logging or plugin-specific audit logs.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Really Simple Security WordPress plugin to version 9.5.10.1 or later, where the issue has been fixed.
Until the update can be applied, consider restricting access to the vulnerable REST endpoints by implementing firewall rules or web application firewall (WAF) rules to block or limit requests to `/wp-json/really-simple-security/v1/two-fa/v2/do_not_ask_again` and `/wp-json/really-simple-security/v1/two-fa/v2/skip_onboarding`.
Additionally, monitor authentication logs for unusual activity that might indicate exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-8293 allows an attacker to bypass two-factor authentication in the Really Simple Security WordPress plugin, enabling unauthorized access to user accounts if the attacker knows the user's password. This authentication bypass can lead to unauthorized access to sensitive personal or protected health information stored or managed through the affected WordPress site.
Such unauthorized access could result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strong access controls and protection of personal and health data. Failure to enforce two-factor authentication as intended may be considered a weakness in security controls, potentially leading to data breaches and regulatory penalties.