CVE-2026-8994 in Login with NEAR Pluginالمعلومات

الملخص

بحسب MITRE • 27/05/2026

The Login with NEAR plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.3.3. The `ajaxLoginWithNear()` function — registered as a `wp_ajax_nopriv` action and therefore reachable by unauthenticated users — accepts an attacker-supplied `account` POST parameter and issues a valid WordPress authentication cookie based solely on a substring check for `.near`, with no nonce verification, cryptographic signature validation, challenge-response exchange, or any proof that the requester controls the corresponding NEAR wallet. This makes it possible for unauthenticated attackers to log in as any existing WordPress user, including administrators, whose email address matches the deterministic `@near.org` pattern derived from the supplied `account` value. If no matching user exists, the handler automatically creates and authenticates a new WordPress account for the attacker-controlled identifier, providing a further avenue for unauthorized account creation.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

Wordfence

حجز

19/05/2026

إفشاء

27/05/2026

الاعتدال

تمت الموافقة

إدخال

VDB-365904

EPSS

0.00116

KEV

لا

النشاطات

منخفض

القطاع

Hostingprovider

المصادر

MITREhttps://www.cve.org/CVERecord?id=CVE-2026-8994
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-8994
CVE Detailshttps://www.cvedetails.com/cve/CVE-2026-8994/

التالي نظرة عامة السابق

Do you need the next level of professionalism?

Upgrade your account now!