← back
CVE-2026-8293

Really Simple Security < 9.5.10.1 - Authentication Bypass via Two-Factor OTP Skip

CVSS 7.5 HIGHEPSS 0.2%CWE-287
The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker who knows a user's password to obtain a WordPress authentication session for that user without completing the email OTP challenge.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
Unknown · Really Simple Security
public PoCs found1
cve_referencewpscan.com/vulnerability/1de69ef9-6226-4292-8e36-b331a37f043e/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/vulnerability/1de69ef9-6226-4292-8e36-b331a37f043e/