PatchSiren cyber security CVE debrief
CVE-2026-8994 learnnearclub CVE debrief
The Login with NEAR plugin for WordPress is vulnerable to authentication bypass in all versions up to and including 0.3.3. The `ajaxLoginWithNear()` function is registered as a `wp_ajax_nopriv` action, making it accessible to unauthenticated users. The function accepts an attacker-supplied `account` POST parameter and issues a valid WordPress authentication cookie based solely on a substring check for `.near`, without nonce verification, cryptographic signature validation, challenge-response exchange, or proof of control over the corresponding NEAR wallet. This allows unauthenticated attackers to log in as any existing WordPress user, including administrators, whose email address matches the deterministic `<account>@near.org` pattern derived from the supplied `account` value. If no matching user exists, the handler automatically creates and authenticates a new WordPress account for the attacker-controlled identifier, enabling unauthorized account creation.
- Vendor
- learnnearclub
- Product
- Login with NEAR
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
WordPress site administrators using the Login with NEAR plugin; security teams monitoring WordPress plugin vulnerabilities; NEAR protocol users with WordPress integrations; incident response teams investigating potential account compromise in WordPress environments
Technical summary
The vulnerability exists in the `ajaxLoginWithNear()` function within the Login with NEAR WordPress plugin. The function is exposed via `wp_ajax_nopriv` action, allowing unauthenticated access. The authentication logic performs only a substring check for `.near` in the supplied `account` parameter without verifying cryptographic ownership of the NEAR wallet. The function constructs an email address as `<account>@near.org` and either authenticates an existing matching user or creates a new WordPress user account. This design flaw completely bypasses authentication controls, enabling arbitrary account takeover and unauthorized account provisioning. The attack requires network access to the WordPress site and knowledge of or guessing of valid account identifiers, with no user interaction required from legitimate users.
Defensive priority
critical
Recommended defensive actions
- Immediately disable or remove the Login with NEAR plugin (near-login) from all WordPress installations
- Review WordPress user accounts for any unauthorized administrators or users with email addresses matching the `<account>@near.org` pattern
- Audit authentication logs for suspicious login activity originating from the `ajaxLoginWithNear()` endpoint
- Apply the vendor patch when available; until then, implement network-level restrictions on access to `/wp-admin/admin-ajax.php` if the plugin must remain active
- Consider implementing additional authentication controls such as multi-factor authentication for administrative accounts
- Monitor for indicators of compromise including unexpected account creation or privilege escalation events
Evidence notes
The vulnerability was reported by Wordfence and is documented in the Wordfence Threat Intelligence database. Source code references point to specific lines in the UserLoginController.php file of the near-login plugin trunk, showing the vulnerable `ajaxLoginWithNear()` function implementation. The CVSS 3.1 vector is AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability.
Official resources
2026-05-27