Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

CVE-2026-8293: WordPress Really Simple Security plugin allows password-only login

CVE-2026-8293

Summary

An attacker who knows a user's password can log in without completing a second security check. This affects WordPress sites using the Really Simple Security plugin before a certain update. To fix, update the plugin to the latest version.

Original title

The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker who knows a us...

Original description

The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker who knows a user's password to obtain a WordPress authentication session for that user without completing the email OTP challenge.

https://wpscan.com/vulnerability/1de69ef9-6226-4292-8e36-b331a37f043e/

Published: 2 Jun 2026 · Updated: 2 Jun 2026 · First seen: 2 Jun 2026