CVE-2026-8994: Login with NEAR WordPress Plugin Pre-Auth Authentication Bypass via Account Parameter

漏洞概述 漏洞名称: Login with NEAR <= 0.3.3 - Authentication Bypass via 'account' Parameter 漏洞类型: Improper Authentication CVSS评分: 8.1 (High) CVE编号: CVE-2026-8994 发布日期: May 26, 2026 最后更新: May 27, 2026 研究人员: g0wthr 影响范围 软件类型: Plugin 软件名称: Login with NEAR 受影响版本: <= 0.3.3 修复方案 补丁状态: No known patch available. 建议措施: Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement. 详细描述 The Login with NEAR plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.3.3. The function – registered as a action and therefore reachable by unauthenticated users – accepts an attacker-supplied POST parameter and issues a valid WordPress authentication cookie based solely on a substring check for , with no nonce verification, cryptographic signature validation, challenge-response exchange, or any proof that the requester controls the corresponding NEAR wallet. This makes it possible for unauthenticated attackers to log in as any existing WordPress user, including administrators, whose email address matches the deterministic pattern derived from the supplied value. If no matching user exists, the handler automatically creates and authenticates a new WordPress account for the attacker-controlled identifier, providing a further avenue for unauthorized account creation. 参考链接 plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org 分享 Facebook Twitter LinkedIn Email

目標達成すべての支援者に感謝 — 100%達成しました！

CVE-2026-8994: Login with NEAR WordPress Plugin Pre-Auth Authentication Bypass via Account Parameter

このソースからの他の記事

目標達成 すべての支援者に感謝 — 100%達成しました！

CVE-2026-8994: Login with NEAR WordPress Plugin Pre-Auth Authentication Bypass via Account Parameter

このソースからの他の記事

目標達成すべての支援者に感謝 — 100%達成しました！