Cve-2026-8994 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-8994/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 27 May 2026 07:18:28 +0000CVE-2026-8994 - WordPress Login with NEAR Plugin Authentication Bypasshttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-8994-wordpress-auth-bypass/Wed, 27 May 2026 07:18:28 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-8994-wordpress-auth-bypass/The Login with NEAR plugin for WordPress is vulnerable to authentication bypass due to the `ajaxLoginWithNear()` function issuing valid authentication cookies based on a substring check of the `account` POST parameter, allowing unauthenticated attackers to log in as existing users or create new accounts.The Login with NEAR plugin for WordPress, in versions up to and including 0.3.3, contains an authentication bypass vulnerability (CVE-2026-8994). The ajaxLoginWithNear() function, exposed to unauthenticated users via the wp_ajax_nopriv action, inadequately validates the account POST parameter. Specifically, it checks only for the presence of .near within the supplied account string. This flawed logic allows an attacker to forge a valid WordPress authentication cookie for any existing user whose email address matches the <account>@near.org pattern. Furthermore, if no such user exists, the plugin automatically creates a new WordPress account associated with the attacker-supplied account identifier. This vulnerability poses a significant risk, enabling attackers to gain unauthorized access and potentially escalate privileges to administrator level.

Attack Chain

  1. An unauthenticated attacker sends a POST request to /wp-admin/admin-ajax.php with the action parameter set to login_with_near.
  2. The attacker includes the account parameter in the POST request, setting its value to a string containing .near and matching a target user’s email prefix (e.g., admin.near).
  3. The ajaxLoginWithNear() function is triggered, processing the attacker’s crafted account value.
  4. The function performs a substring check for .near within the supplied account value but lacks proper cryptographic verification or nonce checks.
  5. The plugin searches for a WordPress user with an email address matching <account>@near.org (e.g., admin.near@near.org).
  6. If a matching user is found, a valid WordPress authentication cookie is issued for that user. If no user exists, a new user account is created using the attacker-supplied account identifier.
  7. The attacker receives the valid WordPress authentication cookie.
  8. The attacker uses the forged or newly created cookie to access the WordPress administration panel and other protected resources.

Impact

Successful exploitation of CVE-2026-8994 allows unauthenticated attackers to bypass authentication and gain unauthorized access to WordPress websites using the affected Login with NEAR plugin. Attackers can potentially log in as any existing user, including administrators, or create new unauthorized accounts. This can lead to complete site compromise, data theft, defacement, or other malicious activities. The severity of the impact depends on the privileges of the compromised user account.

Recommendation

  • Apply the vendor-supplied patch or upgrade to a version of the Login with NEAR plugin greater than 0.3.3 to remediate CVE-2026-8994.
  • Deploy the Sigma rule Detect WordPress Login with NEAR Authentication Bypass Attempt to identify potential exploitation attempts targeting the vulnerable ajaxLoginWithNear endpoint.
  • Monitor web server logs for POST requests to /wp-admin/admin-ajax.php with the action parameter set to login_with_near (see rule Detect WordPress Login with NEAR Authentication Bypass Attempt).
  • Review user accounts for any unauthorized accounts created with email addresses ending in @near.org.
]]>highadvisorywordpressauthentication-bypasscve-2026-8994cloud