CVE-2026-48970

Vulnerability

The Really Simple SSL plugin for WordPress versions 9.5.10 and earlier suffers from a broken authentication vulnerability. The plugin fails to properly verify user permissions, allowing a user with a valid password to perform actions reserved for higher-privileged users. This affects all installations running version 9.5.10 or earlier. [1]

Exploitation

Exploitation requires the attacker to first obtain a valid user password for the target WordPress site (e.g., via phishing, credential stuffing, or other means). With that password, the attacker can authenticate as that user and then leverage the broken authentication to execute actions that should require higher privileges, such as gaining admin access. No additional authentication bypass is needed beyond the initial credential. [1]

Impact

Successful exploitation allows the attacker to escalate privileges to administrator level, gaining full control over the WordPress site. This can lead to complete site compromise, including data theft, malware injection, and defacement. The CVSS score is 8.1 (High). [1]

Mitigation

The vulnerability is fixed in version 9.5.10.1. Users should update immediately. If unable to update, contact your hosting provider for assistance. No virtual patch is available due to the nature of the vulnerability. [1]