A critical security flaw in one of WordPress’s most popular plugins has left over 4 million websites vulnerable to potential hacking attempts.
The Really Simple Security plugin, formerly known as Really Simple SSL, contains an authentication bypass vulnerability that could allow attackers to gain full administrative access to affected sites.
The vulnerability, discovered by the Wordfence Threat Intelligence team on November 6, 2024, affects versions 9.0.0 through 9.1.1.1 of the Really Simple Security plugin, including its free, pro, and pro multisite versions.
The flaw has been tracked as “CVE-2024-10924,” that has received a critical CVSS score of “9.8.” The security issue stems from improper error handling in the two-factor authentication feature of the plugin.
Security analysts at Wordfence identified that when enabled, this vulnerability allows unauthenticated attackers to bypass authentication and log in as any existing user on the site, including administrators. This could potentially lead to complete site compromise and further infection.
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
Technical analysis
Really Simple Plugins, the developer of the affected plugin, was notified on November 6 and responded promptly. They released patches for the pro versions on November 12 and for the free version on November 14.
Due to the severity of the vulnerability, the WordPress[.]org plugins team initiated a forced security update to version 9.1.2 for all affected installations.
While most sites should have been automatically updated, website owners are strongly advised to verify that their installations have been patched to version 9.1.2 or newer.
.webp)
It’s particularly crucial for users of the pro versions to ensure their sites have been updated, as auto-updates may not function for sites without a valid license.
Security experts emphasize the importance of keeping plugins updated and regularly checking for known vulnerabilities.
Website administrators are encouraged to use reputable security plugins, keep all software components up-to-date, and promptly disable or remove plugins with known security issues.
This incident serves as a stark reminder of the ongoing security challenges in the WordPress ecosystem. It underscores the critical need for vigilance, regular updates, and robust security practices to protect websites from potential threats.
Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.