CVE-2024-10924 Explained: Security plugin flaw in millions of WordPress sites
IONIX Tracks CVE-2024-10924 Security plugin flaw in millions of WordPress sites: This post is based on ongoing security research – and will continue to be updated as we get additional information…
What is CVE-2024-10924?
A critical authentication bypass vulnerability has been identified in the WordPress plugin Really Simple Security (formerly known as Really Simple SSL), affecting both its free and Pro versions.
Acording to an article in Bleeping Computer, the vulnerability, tracked as CVE-2024-10924, was discovered by Wordfence researcher István Márton on November 6, 2024. Ironically, it stems from an issue with the two-factor authentication mechanism, which, instead of enhancing security, has inadvertently created a critical weakness.
The Really Simple Security (Free, Pro, and Pro Multisite) plugin for WordPress is vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1 when the “Two-Factor Authentication” setting is enabled.
This is due to improper user check error handling in the two-factor REST API actions with the ‘check_login_and_get_user’ function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, even an administrator.
To exacerbate the situation, the flaw is exploitable at scale using automated scripts, raising the possibility of widespread website takeover campaigns. Wordfence, the security company that publicly disclosed the vulnerability, described it as one of the most severe flaws in its 12-year history. The vulnerability enables remote attackers to gain full administrative control of affected websites.
Given the gravity of the issue, Wordfence has recommended that hosting providers force-update the plugin on their customers’ sites and conduct database scans to ensure no vulnerable versions remain in use.
What is the Really Simple Security plugin for WordPress?
The Really Simple Security (Free, Pro, and Pro Multisite) is a popular security plugin designed for WordPress, offering features such as SSL configuration, login protection, two-factor authentication (2FA), and real-time vulnerability scanning. The plugin’s free version is actively installed on over four million websites.
Am I impacted by CVE-2024-10924?
The RSS plugin is vulnerable to authentication bypass when the “Two-Factor Authentication” setting is enabled. Note that by default 2FA is disabled for the plugin. Still, we recommend updating the plugin versions 9.0.0 to 9.1.1.1 immediately.
IONIX customers will see updated information in the threat center of the IONIX portal.