A critical authentication bypass vulnerability has been identified in the WordPress plugin ‘Really Simple Security‘ (formerly known as ‘Really Simple SSL‘), affecting both its free and Pro versions.
Really Simple Security is a WordPress security plugin providing SSL setup, login protection, two-factor authentication, and real-time vulnerability monitoring. Its free version is currently active on over four million websites.
Wordfence, which revealed the vulnerability publicly, describes it as one of the most critical flaws reported in its 12-year history, cautioning that it enables remote attackers to achieve full administrative control of affected sites.
Compounding the issue, the flaw can be leveraged on a large scale through automated scripts, potentially triggering widespread website takeover incidents.
In response to the threat, Wordfence recommends that hosting providers enforce plugin updates on customer sites and scan databases to ensure no vulnerable versions remain in use.
2FA leading to weaker security
The critical vulnerability, identified as CVE-2024-10924, was discovered by Wordfence researcher István Márton on November 6, 2024.
This issue stems from inadequate handling of user authentication in the plugin’s two-factor REST API actions, allowing unauthorized access to any user account, including those with administrative privileges.
The flaw specifically resides in the ‘check_login_and_get_user()‘ function, which validates users by analyzing the ‘user_id‘ and ‘login_nonce‘ parameters.
When the ‘login_nonce‘ value is invalid, the request is not properly rejected. Instead, it triggers the ‘authenticate_and_redirect()’ function, which relies solely on the ‘user_id’ to authenticate the user, thereby facilitating an authentication bypass.
Exploitation of this flaw is possible when two-factor authentication (2FA) is enabled. While 2FA is disabled by default, many administrators activate it to enhance account security.
CVE-2024-10924 affects plugin versions ranging from 9.0.0 to 9.1.1.1 across the “free,” “Pro,” and “Pro Multisite” editions.
The developer resolved the issue by implementing correct handling of ‘login_nonce‘ verification failures, ensuring the ‘check_login_and_get_user()’ function exits immediately in such cases.
These fixes were incorporated into version 9.1.2 of the plugin, released on November 12 for Pro users and November 14 for free users.
To mitigate the risk, the vendor collaborated with WordPress.org to enforce security updates for users of the plugin. However, website administrators must verify they are running the latest version (9.1.2).
Pro version users with expired licenses have auto-updates disabled, requiring them to manually update to version 9.1.2.
As of yesterday, WordPress.org‘s statistics site, which tracks free version installations, recorded around 450,000 downloads, leaving approximately 3,500,000 sites still vulnerable to the flaw.
Source: BleepingComputer, Bill Toulas
