CVE-2026-8293 | THREATINT

Description

The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker who knows a user's password to obtain a WordPress authentication session for that user without completing the email OTP challenge.

PUBLISHED Reserved 2026-05-11 | Published 2026-06-02 | Updated 2026-06-02 | Assigner WPScan

Problem types

CWE-287 Improper Authentication

Product status

Default status

unaffected

Any version before 9.5.10.1

affected

Credits

John Umoru finder

WPScan coordinator

References

wpscan.com/...rability/1de69ef9-6226-4292-8e36-b331a37f043e/ exploit vdb-entry technical-description

cve.org (CVE-2026-8293)

nvd.nist.gov (CVE-2026-8293)

Download JSON