Security plugin flaw in millions of WordPress sites gives admin access

![WordPress](https://www.bleepstatic.com/content/hl-images/2023/12/07/back.jpg)A critical authentication bypass vulnerability has been discovered impacting the WordPress plugin ‘Really Simple Security’ (formerly ‘Really Simple SSL’), including both free and Pro versions.Really Simple Security is a security plugin for the WordPress platform, offering SSL configuration, login protection, a two-factor authentication layer, and real-time vulnerability detection. Its free version alone is used in over four million websites.Wordfence, which publicly disclosed the flaw, calls it one of the most severe vulnerabilities reported in its 12-year history, [warning](https://www.wordfence.com/blog/2024/11/really-simple-security-vulnerability/) that it allows remote attackers to gain full administrative access to impacted sites.To make matters worse, the flaw can be exploited en masse using automated scripts, potentially leading to large-scale website takeover campaigns.Such is the risk that Wordfence proposes that hosting providers force-update the plugin on customer sites and scan their databases to ensure nobody runs a vulnerable version.2FA leading to weaker security——————————The critical severity flaw in question is [CVE-2024-10924](https://www.wordfence.com/threat-intel/vulnerabilities/detail/really-simple-security-free-pro-and-pro-multisite-900-9111-authentication-bypass), discovered by Wordfence’s researcher István Márton on November 6, 2024.It is caused by improper handling of user authentication in the plugin’s two-factor REST API actions, enabling unauthorized access to any user account, including administrators.Specifically, the problem lies in the ‘check_login_and_get_user()’ function that verifies user identities by checking the ‘user_id’ and ‘login_nonce’ parameters.When ‘login_nonce’ is invalid, the request isn’t rejected, as it should, but instead invokes ‘authenticate_and_redirect(),’ which authenticates the user based on the ‘user_id’ alone, effectively allowing authentication bypass.The flaw is exploitable when two-factor authentication (2FA) is enabled, and even though it’s disabled by default, many administrators will allow it for stronger account security.CVE-2024-10924 impacts plugin versions from 9.0.0 and up to 9.1.1.1 of the ‘free,’ ‘Pro,’ and ‘Pro Multisite’ releases.The developer addressed the flaw by ensuring that the code now correctly handles ‘login_nonce’ verification fails, exiting the ‘check_login_and_get_user()’ function immediately.The fixes were applied to version 9.1.2 of the plugin, released on November 12 for the Pro version and November 14 for free users.The vendor coordinated with WordPress.org to perform force security updates on users of the plugin, but website administrators still need to check and ensure they’re running the latest version (9.1.2).Users of the Pro version have their auto-updates disabled when the license expires, so they must manually update 9.1.2.As of yesterday, the [WordPress.org stats](https://wordpress.org/plugins/really-simple-ssl/advanced/) site, which monitors installs of the free version of the plugin, showed approximately 450,000 downloads, leaving 3,500,000 sites potentially exposed to the flaw. ### Related Articles:[Jetpack fixes critical information disclosure flaw existing since 2016](https://www.bleepingcomputer.com/news/security/jetpack-fixes-critical-information-disclosure-flaw-existing-since-2016/)[D-Link won’t fix critical bug in 60,000 exposed EoL modems](https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-bug-in-60-000-exposed-eol-modems/)[Hackers target critical zero-day vulnerability in PTZ cameras](https://www.bleepingcomputer.com/news/security/hackers-target-critical-zero-day-vulnerability-in-ptz-cameras/)[LiteSpeed Cache WordPress plugin bug lets hackers get admin access](https://www.bleepingcomputer.com/news/security/litespeed-cache-wordpress-plugin-bug-lets-hackers-get-admin-access/)[Over 6,000 WordPress sites hacked to install plugins pushing infostealers](https://www.bleepingcomputer.com/news/security/over-6-000-wordpress-sites-hacked-to-install-plugins-pushing-infostealers/)

Related Tags:
NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 51 – Information

Blog: BleepingComputer

Software Discovery: Security Software Discovery

Software Discovery

Exploitation for Client Execution

Exploitation for Privilege Escalation

System Owner/User Discovery

Associated Indicators:
null