Critical authentication bypass in Really Simple Security (Really Simple SSL) WordPress security plugin
Take action: This is the time not to f#@k around and find out. If you are using Really Simple Security plugin, patch it NOW. And tell your friends to patch. Because attacks are automated, and weirdly, you need to have a good security mindset - have enabled 2FA - to be hacked. Don't disable 2FA, just patch.
Learn More
Really Simple Security (formerly Really Simple SSL), a widely-used WordPress security plugin, has been found to contain a critical authentication bypass vulnerability that affects both its free and Pro versions. The plugin, provides essential security features including SSL configuration, login protection, two-factor authentication, and real-time vulnerability detection. It's widely used, installed on over 4 million websites.
Vulnerability details:
- CVE-2024-10924 (CVSS score 9.8) - Authentication bypass vulnerability in two-factor REST API actions. Allows unauthorized access to any user account, including administrator. It's caused by improper handling of user authentication in the 'check_login_and_get_user()' function. To exploit this flaw, two-factor authentication (2FA) must be enabled.
Affected Versions are 9.0.0 through 9.1.1.1 (Free, Pro, and Pro Multisite releases)
The flaw is ixed in version 9.1.2 (Released November 12, 2024 for Pro and November 14, 2024 for free users). WordPress.org initiated forced security updates for free version users. Pro version users with expired licenses must update manually
The vulnerability is very dangerous since it can be exploited through automated scripts for mass website takeovers. As of 17th of November 2024, approximately 3.5 million sites potentially remain vulnerable. Only 450,000 downloads of the patched version reported on WordPress.org stats
Wordfence, the security firm that discovered the vulnerability, considers this one of the most severe vulnerabilities in their 12-year history.
