ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-8994 Authentication Bypass in Login with NEAR WordPress Plugin

A brief summary of CVE-2026-8994, a high severity authentication bypass in the Login with NEAR WordPress plugin that allows unauthenticated attackers to log in as any user, including administrators, via a single crafted POST request with no wallet ownership verification.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-27

Quick Look: CVE-2026-8994 Authentication Bypass in Login with NEAR WordPress Plugin
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A WordPress plugin designed to let users authenticate with their NEAR Protocol cryptocurrency wallets turns out to skip the one step that matters: actually verifying that the requester owns the wallet. CVE-2026-8994 is an authentication bypass in the Login with NEAR plugin (versions 0.3.3 and below) that allows any unauthenticated attacker to log in as an arbitrary WordPress user, including administrators, with a single HTTP POST request.

The Login with NEAR plugin (slug: near-login) is a niche Web3 integration tool that bridges NEAR Protocol wallet authentication into WordPress. Published in December 2022 by a single developer (Learn NEAR Club), it has fewer than 10 active installations according to the WordPress plugin directory. While its installed base is minimal, the vulnerability is a textbook example of a dangerous pattern we are seeing repeatedly in 2026: WordPress authentication plugins that accept identity claims without any cryptographic proof.

Technical Information

Root Cause: Zero Verification of Wallet Ownership

The vulnerability lives in the ajaxLoginWithNear() function within Controllers/UserLoginController.php. This function is registered as a wp_ajax_nopriv_ action, which in WordPress means it is explicitly accessible to unauthenticated users. The entire authentication decision rests on a single substring check:

if (strpos($account, '.near') !== false)

That is the totality of the "authentication" logic. There is no nonce verification, no cryptographic signature validation, no challenge response exchange with the NEAR blockchain, and no proof whatsoever that the requester controls the NEAR wallet they claim to own. The NEAR Protocol itself provides robust cryptographic signature and challenge response mechanisms for wallet authentication, but the plugin implements none of them.

How the Attack Works, Step by Step

Step 1: Reaching the unauthenticated endpoint. The function is hooked to wp_ajax_nopriv_login_with_near at line 16 of UserLoginController.php. WordPress routes any AJAX request from a logged out user with the parameter action=login_with_near directly to this handler.

Step 2: Supplying an arbitrary account name. The function reads $_POST['account'] and passes it through sanitize_text_field() (line 29). This sanitization strips HTML tags but performs no identity validation. The attacker can supply any string they choose.

Step 3: Passing the substring check. At line 46, the function checks whether the supplied account string contains .near. Any string containing that substring passes. This is the only gate between an unauthenticated request and a valid WordPress session.

Step 4: Deterministic email derivation. The helper function getUserEmailByAccount() (line 76) concatenates the supplied account name with @near.org to produce an email address. For example, supplying admin.near produces [email protected]. The handler then calls get_user_by('email', $email) to look up an existing WordPress user.

Step 5: Hijacking an existing account. If a WordPress user with the derived email address exists, the handler calls wp_set_auth_cookie($user->ID, true), issuing a valid persistent authentication cookie for that user. If the matched user holds an administrator role, the attacker gains full administrative access to the WordPress site.

Step 6: Creating a new rogue account. If no matching user exists, the handler calls wp_create_user($account, wp_generate_password(), $email) to create a brand new WordPress account, then immediately authenticates it via wp_set_auth_cookie(). The attacker never needs the randomly generated password because they are already logged in.

The Exploit Request

The entire attack reduces to a single HTTP POST:

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=login_with_near&account=<target>.near

Where <target>.near is chosen so that <target>[email protected] matches an existing WordPress user's email address. No special tools, no prior authentication, and no user interaction are required.

CVSS Breakdown

The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a score of 8.1 (High).

MetricValueExplanation
Attack VectorNetworkExploitable remotely over HTTP
Attack ComplexityHighAttacker must know or guess the correct account to email mapping
Privileges RequiredNoneNo authentication needed
User InteractionNoneNo victim action required
ScopeUnchangedImpact confined to the WordPress instance
ConfidentialityHighFull access to all site data
IntegrityHighFull modification of content and settings
AvailabilityHighFull disruption of site operations possible

The "High" attack complexity rating reflects that the attacker needs to identify which .near account name maps to an existing WordPress user's email. In practice, this information can often be inferred or enumerated, particularly for administrator accounts.

CWE Classification

This vulnerability is classified as CWE-287: Improper Authentication, defined as: "When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct." The plugin accepts the attacker's claim of NEAR wallet ownership (the account parameter) without any cryptographic or challenge response proof that the claim is legitimate.

Affected Systems and Versions

The vulnerability affects the Login with NEAR WordPress plugin in all versions up to and including 0.3.3. This is the current stable release. No patched version exists.

AttributeValue
Plugin NameLogin with NEAR
Slugnear-login
Affected VersionsAll versions through 0.3.3
WordPress Compatibility5.0 or higher
PHP Compatibility7.2 or higher
Active InstallationsFewer than 10
Patch StatusNo patch available

Any WordPress site with this plugin installed and activated is vulnerable, regardless of configuration. The vulnerable endpoint (wp_ajax_nopriv_login_with_near) is registered unconditionally when the plugin is active.

Vendor Security History

The Login with NEAR plugin is authored by a single developer (Learn NEAR Club) with no additional contributors listed on the WordPress.org repository. The plugin was last modified on November 10, 2025, roughly 7 months before this vulnerability was disclosed. The low version number (0.3.3), small codebase (2.5 KB for the vulnerable controller), and extended gap without updates all point to minimal ongoing maintenance.

This vulnerability fits into a broader pattern of CWE-287 (Improper Authentication) flaws across WordPress plugins in 2026. Several comparable authentication bypass vulnerabilities have been disclosed this year:

CVEPluginCVSSDescription
CVE-2026-7567Temporary Login (versions through 1.0.0)HighAuthentication Bypass to Account Takeover
CVE-2026-4587HybridAuthHighAuth Bypass via Improper Certificate Validation
CVE-2026-1779WordPress User RegistrationHighAuthentication Bypass
CVE-2026-5118Divi Form Builder (versions through 5.1.2)9.8Unauthenticated Privilege Escalation

The recurring theme across these vulnerabilities is accepting identity claims without sufficient verification, the exact flaw present in Login with NEAR.

Mitigation

Since no patch exists and the plugin's maintenance status suggests one is unlikely, the primary mitigation is complete removal of the Login with NEAR plugin. Simply deactivating it without deleting leaves the code on the server, where it could be reactivated through a separate compromise.

Additional steps for sites that may have been exposed:

  1. Audit user accounts: Check the wp_users table for accounts with [email protected] email addresses that were not intentionally created. Delete any unauthorized accounts.
  2. Reset administrator passwords: If there is any possibility the vulnerability was exploited before disclosure, force password resets for all administrative users and review for persistent backdoor access (new admin accounts, modified files, installed plugins).
  3. Deploy WAF rules: Wordfence Premium, Care, and Response customers received a firewall rule to block exploitation attempts targeting this specific vulnerability. This provides interim protection while plugin removal is coordinated.
  4. Block the specific endpoint: As a defense in depth measure, restrict unauthenticated POST requests to wp-admin/admin-ajax.php with the action=login_with_near parameter via server level access controls.

For organizations that require NEAR wallet authentication on WordPress, the recommendation is to evaluate alternative implementations that properly leverage the NEAR blockchain's native cryptographic signature verification rather than relying on a trivially forged substring check.

Threat Landscape Context

No confirmed active exploitation of CVE-2026-8994 has been reported as of the disclosure date (May 27, 2026). However, several factors make this vulnerability worth tracking:

The exploit is trivially simple: a single POST request with no specialized tooling. The vulnerable source code is fully visible on the WordPress Trac repository, providing everything needed to develop a working exploit. VulnCheck's analysis of routinely targeted vulnerabilities in 2026 notes that several CVEs that showed no exploitation at disclosure time were later observed being used in the wild. WordPress authentication bypass vulnerabilities are a known target for opportunistic threat actors who use automated scanning to identify vulnerable plugin installations.

The limited installation base (fewer than 10 active sites) significantly constrains the real world blast radius. Mass exploitation is unlikely given the tiny target population. However, any individual site running this plugin should treat the risk as immediate, particularly because the attack requires no authentication, no user interaction, and produces no obvious indicators to the site owner.

The more significant takeaway for the broader WordPress security community is the pattern this vulnerability represents. Web3 and blockchain integration plugins are a growing category, and the Login with NEAR flaw demonstrates what happens when a plugin bridges a cryptographically secured system (the NEAR blockchain) into WordPress without actually implementing any of the cryptographic verification that makes the source system secure. Organizations deploying any Web3 login plugin should verify that wallet ownership is proven through signed messages or challenge response exchanges, not string matching.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization