{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/login-with-near-plugin--0.3.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-8994"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Login with NEAR plugin \u003c= 0.3.3"],"_cs_severities":["high"],"_cs_tags":["wordpress","authentication-bypass","cve-2026-8994","cloud"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Login with NEAR plugin for WordPress, in versions up to and including 0.3.3, contains an authentication bypass vulnerability (CVE-2026-8994). The \u003ccode\u003eajaxLoginWithNear()\u003c/code\u003e function, exposed to unauthenticated users via the \u003ccode\u003ewp_ajax_nopriv\u003c/code\u003e action, inadequately validates the \u003ccode\u003eaccount\u003c/code\u003e POST parameter.  Specifically, it checks only for the presence of \u003ccode\u003e.near\u003c/code\u003e within the supplied account string. This flawed logic allows an attacker to forge a valid WordPress authentication cookie for any existing user whose email address matches the \u003ccode\u003e\u0026lt;account\u0026gt;@near.org\u003c/code\u003e pattern. Furthermore, if no such user exists, the plugin automatically creates a new WordPress account associated with the attacker-supplied \u003ccode\u003eaccount\u003c/code\u003e identifier. This vulnerability poses a significant risk, enabling attackers to gain unauthorized access and potentially escalate privileges to administrator level.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a POST request to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003elogin_with_near\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the \u003ccode\u003eaccount\u003c/code\u003e parameter in the POST request, setting its value to a string containing \u003ccode\u003e.near\u003c/code\u003e and matching a target user\u0026rsquo;s email prefix (e.g., \u003ccode\u003eadmin.near\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eajaxLoginWithNear()\u003c/code\u003e function is triggered, processing the attacker\u0026rsquo;s crafted \u003ccode\u003eaccount\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe function performs a substring check for \u003ccode\u003e.near\u003c/code\u003e within the supplied \u003ccode\u003eaccount\u003c/code\u003e value but lacks proper cryptographic verification or nonce checks.\u003c/li\u003e\n\u003cli\u003eThe plugin searches for a WordPress user with an email address matching \u003ccode\u003e\u0026lt;account\u0026gt;@near.org\u003c/code\u003e (e.g., \u003ccode\u003eadmin.near@near.org\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIf a matching user is found, a valid WordPress authentication cookie is issued for that user. If no user exists, a new user account is created using the attacker-supplied \u003ccode\u003eaccount\u003c/code\u003e identifier.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the valid WordPress authentication cookie.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the forged or newly created cookie to access the WordPress administration panel and other protected resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-8994 allows unauthenticated attackers to bypass authentication and gain unauthorized access to WordPress websites using the affected Login with NEAR plugin. Attackers can potentially log in as any existing user, including administrators, or create new unauthorized accounts. This can lead to complete site compromise, data theft, defacement, or other malicious activities. The severity of the impact depends on the privileges of the compromised user account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch or upgrade to a version of the Login with NEAR plugin greater than 0.3.3 to remediate CVE-2026-8994.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WordPress Login with NEAR Authentication Bypass Attempt\u003c/code\u003e to identify potential exploitation attempts targeting the vulnerable \u003ccode\u003eajaxLoginWithNear\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003elogin_with_near\u003c/code\u003e (see rule \u003ccode\u003eDetect WordPress Login with NEAR Authentication Bypass Attempt\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview user accounts for any unauthorized accounts created with email addresses ending in \u003ccode\u003e@near.org\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T07:18:28Z","date_published":"2026-05-27T07:18:28Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-8994-wordpress-auth-bypass/","summary":"The Login with NEAR plugin for WordPress is vulnerable to authentication bypass due to the `ajaxLoginWithNear()` function issuing valid authentication cookies based on a substring check of the `account` POST parameter, allowing unauthenticated attackers to log in as existing users or create new accounts.","title":"CVE-2026-8994 - WordPress Login with NEAR Plugin Authentication Bypass","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-8994-wordpress-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Login With NEAR Plugin \u003c= 0.3.3","version":"https://jsonfeed.org/version/1.1"}