Critical WordPress plugin vulnerability
Published: November 20, 2024
Topics on this page:
Summary:
A critical authentication bypass vulnerability has been discovered impacting the WordPress plugin ‘Really Simple Security’ (formerly ‘Really Simple SSL’), including both free and Pro versions.
This remotely exploitable flaw can allow an attacker to gain full administrative access to a WordPress site. However, ironically, it is only an issue if the “Two-Factor Authentication” setting is enabled (disabled by default).
Paid Wordfence users received the patch for this on November 6; free users will not receive it until December 6th, so they may need to update themselves.
Details:
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the ‘check_login_and_get_user’ function. When the “Two-Factor Authentication” setting is enabled (disabled by default), unauthenticated attackers can use this to log in as any existing user on the site, such as an administrator.
Affected Plugins: Really Simple Security, Really Simple Security Pro, Really Simple Security Pro Multisite
CVE ID: CVE-2024-10924
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Impacted versions:
Plugin Slugs: really-simple-ssl, really-simple-ssl-pro, really-simple-ssl-pro-multisite
Affected Versions: 9.0.0 – 9.1.1.1
Recommendations:
If you have enabled the “Two-Factor Authentication” setting, patch to the current version (v 9.1.2) ASAP. Otherwise, patch as soon as possible so you can then use two-factor authentication, which we recommend for all sites.
Support:
As always, please let us know if you have any questions or concerns or see unusual activity on your systems that you believe might be associated with this or any other vulnerability. Please send these communications to security.response@utoronto.ca.
