High severity8.1NVD Advisory· Published May 27, 2026

CVE-2026-8994

Description

The Login with NEAR plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.3.3. The ajaxLoginWithNear() function — registered as a wp_ajax_nopriv action and therefore reachable by unauthenticated users — accepts an attacker-supplied account POST parameter and issues a valid WordPress authentication cookie based solely on a substring check for .near, with no nonce verification, cryptographic signature validation, challenge-response exchange, or any proof that the requester controls the corresponding NEAR wallet. This makes it possible for unauthenticated attackers to log in as any existing WordPress user, including administrators, whose email address matches the deterministic @near.org pattern derived from the supplied account value. If no matching user exists, the handler automatically creates and authenticates a new WordPress account for the attacker-controlled identifier, providing a further avenue for unauthorized account creation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Login with NEAR plugin for WordPress ≤0.3.3 allows unauthenticated attackers to bypass authentication and log in as any user by supplying a .near account name, due to missing cryptographic verification.

Vulnerability

The ajaxLoginWithNear() function in the Login with NEAR plugin (all versions up to and including 0.3.3) is registered as a wp_ajax_nopriv action, making it accessible to unauthenticated users. The function accepts an attacker-supplied account POST parameter and, after a simple substring check for .near, derives a user email as @near.org via getUserEmailByAccount() [1][2][3][4]. It then looks up a WordPress user by that email; if found, it immediately sets an authentication cookie for that user without any nonce verification, cryptographic signature, or proof of wallet ownership. If no user exists, it creates a new WordPress account with the derived email and authenticates it [1][2][3][4].

Exploitation

An unauthenticated attacker can send a POST request to the WordPress AJAX endpoint with the action parameter set to the plugin's AJAX action and an account parameter containing any string ending with .near (e.g., admin@example.com.near). The plugin strips tags and trims the input, then constructs the email @near.org. If a WordPress user already has that email (e.g., admin@example.com.near@near.org), the attacker is logged in as that user. No authentication, nonce, or cryptographic challenge is required [1][2][3][4].

Impact

Successful exploitation allows an unauthenticated attacker to log in as any existing WordPress user whose email matches the deterministic pattern, including administrators. This grants full administrative access to the WordPress site. Additionally, if no matching user exists, the plugin automatically creates a new WordPress account for the attacker-controlled identifier, enabling unauthorized account creation and potential further abuse [1][2][3][4].

Mitigation

As of the publication date (2026-05-27), no fixed version has been released. The plugin is vulnerable up to and including version 0.3.3. Users should disable the plugin until a patched version is available. There is no known workaround. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at this time.

References

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Near Logininferred
Range: <=0.3.3
Package: https://wordpress.org/plugins/near-login
WordPress/Login with NEARllm-create
Range: <=0.3.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000