CVE-2026-48969

Vulnerability

A broken access control vulnerability exists in the Really Simple SSL plugin for WordPress, affecting versions up to and including 9.5.9 [1]. The issue is caused by a missing authorization or nonce token check in a function that handles privileged actions, allowing subscribers to execute operations normally restricted to higher-privileged roles. The exact function name is not publicly disclosed, but the code path is reachable for any authenticated user with subscriber-level access [1].

Exploitation

An attacker needs only a valid subscriber account on the target WordPress site [1]. No additional network position or user interaction beyond logging in is required. The attacker can craft a request that bypasses the missing authorization check, triggering the privileged action without proper capability verification. The exact sequence of steps is not detailed in the references, but the flaw is known to be actively exploited in mass campaigns [1].

Impact

Successful exploitation allows an attacker to perform higher-privileged actions, potentially leading to arbitrary changes to the site's SSL/security settings, modification of options, or further privilege escalation. The impact could include information disclosure or full compromise of the site, depending on the affected function. The vulnerability is classified as broken access control, and the CVSS score of 6.5 indicates a medium-severity risk [1].

Mitigation

The vulnerability is fixed in version 9.5.10 [1]. Users are strongly advised to update to this version immediately. For those unable to update, Patchstack has issued a mitigation rule that blocks exploit attempts, but no permanent workaround is provided [1]. The vulnerability is listed as Known Exploited Vulnerability (KEV), indicating active exploitation [1].