Wordfence researchers issued on November 14, 2024 a warning about vulnerability CVE-2024-10924, having CVSS Score of 9.8, in the Really Simple Security plugin that affects over 4 million WordPress web sites. The Really Simple Security plugin, formerly Really Simple SSL, is a popular WordPress tool that enhances website security with features like login protection, real-time vulnerability detection, and two-factor authentication. If exploited, it allows an attacker to remotely gain full administrative access to a site running the plugin. The vulnerability was discovered by Wordfence’s researcher István Márton.
The flaw is due to improper user check error handling in the two-factor REST API actions with the ‘check_login_and_get_user’ function. “Unfortunately, one of the features adding two-factor authentication was insecurely implemented making it possible for unauthenticated attackers to gain access to any user account, including an administrator account, with a simple request when two-factor authentication is enabled,” Márton said.
Ironically, this vulnerability only impacts WordPress sites who have enabled “Two-Factor Authentication” in the plugin settings.
CVE-2024-10924 impacts plugin versions from 9.0.0 and up to 9.1.1.1 of the “free”, “Pro” and “Pro Multisite” releases. The flaw was fixed in version 9.1.2. Security updates were released on November 12 (Pro versions) and November 14 (free version).
Read more about it here.