CVE-2026-8293

HIGH 7.5

Really Simple Security < 9.5.10.1 - Authentication Bypass via Two-Factor OTP Skip

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker who knows a user's password to obtain a WordPress authentication session for that user without completing the email OTP challenge.

Vendor	unknown
Product	really simple security
Published	Jun 2, 2026
Last Updated	Jun 2, 2026

Stay Ahead of the Next One

Get instant alerts for unknown really simple security

Be the first to know when new high vulnerabilities affecting unknown really simple security are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / Really Simple Security

0 < 9.5.10.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/1de69ef9-6226-4292-8e36-b331a37f043e/

Credits

John Umoru WPScan