CVE-2026-8994

May 27, 2026, 2:50 p.m.

8.1
High

Description

The Login with NEAR plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.3.3. The `ajaxLoginWithNear()` function — registered as a `wp_ajax_nopriv` action and therefore reachable by unauthenticated users — accepts an attacker-supplied `account` POST parameter and issues a valid WordPress authentication cookie based solely on a substring check for `.near`, with no nonce verification, cryptographic signature validation, challenge-response exchange, or any proof that the requester controls the corresponding NEAR wallet. This makes it possible for unauthenticated attackers to log in as any existing WordPress user, including administrators, whose email address matches the deterministic `<account>@near.org` pattern derived from the supplied `account` value. If no matching user exists, the handler automatically creates and authenticates a new WordPress account for the attacker-controlled identifier, providing a further avenue for unauthorized account creation.

Product(s) Impacted

Vendor Product Versions
Wordpress
  • Login With Near
  • 0.3.3

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a wordpress login_with_near 0.3.3 / / / / wordpress / /

References

https://plugins.trac.wordpress.org/browser/near-login/trunk/Controllers/UserLoginController.php#L16
https://plugins.trac.wordpress.org/browser/near-login/trunk/Controllers/UserLoginController.php#L29
https://plugins.trac.wordpress.org/browser/near-login/trunk/Controllers/UserLoginController.php#L46
https://plugins.trac.wordpress.org/browser/near-login/trunk/Controllers/UserLoginController.php#L76
https://www.wordfence.com/threat-intel/vulnerabilities/id/f1eacb72-df11-4a3b-9064-f8f776f3522b?source=cve

Tags

[email protected]
CWE-287
2026-05-27
CVE-2026-8994

CVSS Score

8.1 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: May 27, 2026, 7:16 a.m.
Last Modified: May 27, 2026, 2:50 p.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.