Any WordPress site running Really Simple Security below version 9.5.10.1 is currently exposed to an attacker who can exploit a high-severity vulnerability
Any WordPress site running Really Simple Security below version 9.5.10.1 is currently exposed to an attacker who can exploit a high-severity vulnerability without needing administrative credentials. The CVE-2026-48970 record was disclosed on 15 June 2026. If your site is still on an older version, it is vulnerable right now.
Really Simple Security is installed across a large number of WordPress sites precisely because it handles SSL configuration and security hardening, which makes the irony of it introducing a high-severity exposure particularly pointed. This is the nature of software: every plugin, regardless of its purpose, can carry a flaw.
The CVSS score for this flaw is 8.1 out of 10, placing it firmly in the High category. A score at this level indicates that exploitation can cause significant damage without requiring complex conditions or a highly privileged attacker. Every version of Really Simple Security below 9.5.10.1 is affected, and the fix is already available: version 9.5.10.1 resolves it.
At this severity level, the risk is concrete. Attackers scan WordPress sites at scale, often within hours of a CVE disclosure, using automated tools that check plugin version numbers and attempt known exploits. Volume-based attacks affect ordinary business sites as readily as large ones, so your site does not need to be a high-profile target for this to matter.
Log in to your WordPress dashboard and go to Plugins > Installed Plugins. Find Really Simple Security in the list — the version number appears beneath the plugin name. If it reads anything below 9.5.10.1, apply the update immediately.
If automatic updates are enabled and the plugin has already updated, still confirm the version number in the plugins list. Automatic updates occasionally fail silently, particularly on sites with hosting configurations that restrict file write permissions. If WordPress is showing an update notification for this plugin, apply it now.
To update manually:
Once updated, check that your site is functioning normally. Security plugin updates occasionally affect site behaviour, particularly around redirect rules or header configurations, so a quick check of your homepage, login page, and any forms takes two minutes and confirms nothing has broken.
If you are running the Pro version of Really Simple Security, the same process applies. The fix is in version 9.5.10.1 regardless of whether you are on the free or paid tier.
Plugin vulnerabilities of this severity are disclosed publicly, which means the information is available to everyone, including people who look for sites that have not yet updated. The CVE for this flaw was published on 15 June 2026, and the window between disclosure and exploitation can be very short. Every day a site remains on an older version after that date is a day of unnecessary exposure.
Keeping plugins updated is the primary mechanism by which known vulnerabilities are closed. WordPress core, themes, and plugins all receive security updates, and each one that goes unapplied leaves a known, documented entry point open. Security researchers publish CVE records so that administrators can act. Attackers read the same records.
Many business owners assume their hosting provider handles this. Some managed hosting environments do apply certain updates automatically, but this is neither universal nor guaranteed. Responsibility for the software running on your site sits with the site owner, so if you are unsure whether your hosting applies security updates automatically, check manually rather than assuming it does.
One consequence that rarely gets considered: if your site is compromised through a known, patched vulnerability, and that compromise results in customer data being exposed or your site being used to distribute malware, the fact that a fix was available and not applied becomes a material factor. It affects how you explain the incident to affected customers and how any regulatory body might view the situation. Being caught by a zero-day is one category of problem; leaving a documented, fixable vulnerability unpatched is another, and the distinction matters.
If you are running Really Simple Security and want confirmation that your site is on the patched version, or if you want me to audit your full plugin stack for known vulnerabilities and outdated software, contact me at The WordPress Guy. The CVE-2026-48970 disclosure was published on 15 June 2026, sites that have not updated since that date are exposed to a flaw with a CVSS score of 8.1, and the fix is a single plugin update away.
Related articles
If your site uses Gravity SMTP to handle transactional email, it is exposed to an actively exploited vulnerability right now. The flaw, a Sensitive
Attackers are breaking into WordPress sites right now, and they are doing it without a username or password. The plugins being exploited are mainstream,
One hundred new WordPress vulnerabilities were disclosed in a single week. Spanning 87 plugins and one theme and affecting roughly 11.9 million active
Security issues need permanent fixes, not surface-level patches. This is exactly the work I specialise in.
View security services →
Jason Boyd
Specialist WordPress Engineer · Former W3C Invited Expert · 20+ years
I fix the WordPress problems other developers walk away from. Backed by a 1st Class degree in Computer Science, an MSc in Cybersecurity, and over 20 years of specialist WordPress work, I diagnose issues at their root cause and resolve them permanently — for businesses that cannot afford guesswork or repeat failures.
If this article describes your situation, I can diagnose the specifics and fix it properly. Send your brief and I'll respond the same working day.
