A high-severity security flaw has been uncovered in the popular WordPress plugin Really Simple Security (formerly Really Simple SSL), used by over 4 million websites.
This vulnerability tracked as CVE-2024-10924, poses a significant risk. It enables attackers to bypass authentication and gain full administrative access to affected sites.
The Issue at Hand
The flaw was disclosed by Wordfence on November 6, 2024, from improper handling of user authentication in the plugin’s two-factor REST API. Specifically, the issue lies in the check_login_and_get_user() function, which accepts invalid login attempts when the login_nonce parameter is incorrect. Instead of blocking access, the function defaults to authenticating the user based solely on their user_id.
This vulnerability is particularly dangerous because it can be exploited when two-factor authentication (2FA) is enabled—a feature often associated with enhanced security. Ironically, this makes affected websites more vulnerable when 2FA is active.
Impact and Exploitability
CVE-2024-10924 affects plugin versions 9.0.0 through 9.1.1.1, covering free and Pro versions, including Pro Multisite releases. Attackers can automate the exploitation process using scripts, potentially leading to widespread attacks and website takeovers.
Wordfence has described this as one of the most severe vulnerabilities in its 12-year history, recommending urgent action to mitigate risks. They’ve even suggested that hosting providers force-update the plugin and scan customer databases to prevent potential breaches.
The plugin’s developer addressed the issue in version 9.1.2 by properly verifying the login_nonce parameter, ensuring failed checks immediately exit the vulnerable function. The fixed version was rolled out for Pro users on November 12, 2024, and November 14 for free users.
While WordPress.org facilitated forced security updates, administrators are urged to verify they’re running version 9.1.2 or later. Notably, users of the Pro version with expired licenses must manually update the plugin, as auto-updates are disabled in such cases.
Despite the patch, WordPress.org’s stats reveal that over 3.5 million websites remain vulnerable, underscoring the urgency for administrators to act swiftly.
