Security Advisory

Security Advisory: JWT Validation Bypass in SYSSY WordPress Plugin

Vioro Security Research identified a JWT validation bypass in the SYSSY WordPress plugin (v2.0.0 <= 2.0.1) that allowed expired tokens to be accepted.

By Daniel Bunte • Published: 2026-07-11

At Vioro, we believe that website monitoring shouldn’t require installing additional plugins that increase a site’s attack surface. As part of our continuous security research into the WordPress ecosystem, we analyzed how various monitoring plugins handle authentication and data exposure.

During this research, we identified an authentication weakness in the SYSSY – Monitoring Websites WordPress plugin (version 2.0.0 <= 2.0.1). We responsibly disclosed this vulnerability to SYSSY Online GmbH, who confirmed the issue and released a patch within a short timeframe.

Technical Details

The SYSSY plugin exposes a REST API endpoint that allows the central SYSSY SaaS platform to pull internal site metrics (WordPress version, active plugins, PHP version, etc.). Authentication for this endpoint relies on a shared secret (API key) used to verify HMAC-signed JSON Web Tokens (JWTs).

While analyzing the JWT verification logic, we discovered that the plugin failed to properly enforce the ‘exp’ (expiration) and ‘nbf’ (not before) claims.

Due to a missing json_decode step in the payload processing, the plugin treated the decoded JWT payload as a raw string rather than a JSON object. When the code subsequently attempted to evaluate isset($payload['exp']), it performed a string-offset check rather than a JSON key lookup.

As a result:

  1. Validly signed but expired tokens were accepted.
  2. Tokens completely lacking lifetime claims were also accepted.

If an attacker were to compromise a previously valid token or the underlying shared secret (API key), they could interact with the plugin’s REST endpoint indefinitely, bypassing intended token lifetime restrictions.

Additional Finding: Crypto Fallback

We also noted a secondary architectural weakness in the plugin’s response encryption fallback. If the required OpenSSL functions (openssl_encrypt, openssl_random_pseudo_bytes) are missing on the host server, the plugin falls back to sending the response data as Base64 encoded text appended with an HMAC signature. This preserves data integrity but completely removes application-layer confidentiality for the exposed system data.

After a quick discussion, the vendor agreed to follow our recommendation and to remove the fallback mechanism in version 2.0.3 entirely.

Disclosure Timeline

Vioro practices responsible disclosure. The vendor responded exceptionally quickly and professionally.

  • 2026-06-24: Vulnerability discovered and analyzed by Vioro.
  • 2026-06-24: Initial contact with SYSSY Online GmbH via email. Vendor acknowledged the JWT issue within hours and committed to a fix.
  • 2026-06-26: Vioro provided further context on the Crypto fallback mechanism and proposed coordinating a CVE.
  • 2026-06-27: Patched version released by vendor on the WordPress repository.
  • 2026-07-03: Vulnerability report submitted to CNA, CVE number is pending.

The Vioro Perspective: Why Architecture Matters

This finding perfectly illustrates why we built Vioro differently.

The traditional monitoring approach requires installing a plugin on the client’s site. This creates a “pull” architecture where a central SaaS authenticates against your WordPress instance to extract data. This model requires exposing new API endpoints, managing shared secrets, and trusting that the plugin’s cryptography is flawless.

At Vioro, we use an outside-in approach. We don’t ask you to install plugins. We monitor your websites exactly how attackers see them: from the outside. By mapping external fingerprints to real-time CVE databases, we alert you to vulnerabilities without adding new attack vectors to your WordPress installation.

For a deeper dive into the technical risks of “Pull” monitoring plugins and how to design them securely, read our architectural analysis: The Architecture of a Secure WordPress Monitoring Plugin.

If you are an agency managing dozens of WordPress sites, you can secure them today without installing a single piece of code. Start your 14-day trial today.

Don't wait for the next plugin vulnerability.

Vioro monitors your WordPress sites from the outside. No plugins, no endpoints, no added risk.

Start 14-day trial

Free 14-day trial • European-owned cloud infrastructure • Zero-plugin integration