A critical authentication bypass vulnerability has been discovered in the Really Simple Security (formerly Really Simple SSL) WordPress plugin that, if successfully exploited, could give an attacker remote full administrative access to a vulnerable site.
The vulnerability, identified as CVE-2024-10924 (CVSS score: 9.8), affects both the free and premium versions of the plugin. The software is installed on over 4 million WordPress sites.
“The vulnerability is scriptable, meaning it can be turned into a large-scale automated attack targeting WordPress websites,” said István Martan, security researcher at Wordfence. said.
After a responsible disclosure on November 6, 2024, the flaw was fixed in version 9.1.2, released a week later. This is a risk of possible abuse prompted plugin developers must work with WordPress to force all sites running the plugin to update to public disclosure.
According to Wordfence, the authentication bypass vulnerability discovered in versions 9.0.0 to 9.1.1.1 is due to incorrect handling of user validation errors in a function called “check_login_and_get_user”, which allows unauthenticated attackers to log in as arbitrary users, including number of administrators when two-factor authentication is enabled.
“Unfortunately, one of the features that adds two-factor authentication was implemented insecurely, allowing unauthenticated attackers to gain access to any user account, including an administrator account, with a simple query with two-factor authentication enabled,” Marton said.
Successful exploitation of the vulnerability could have serious consequences as it could allow attackers to hijack WordPress sites and further use them for criminal purposes.
The disclosure comes days after Wordfence discovered another critical flaw in the WPLMS learning management system for WordPress, WordPress LMS (CVE-2024-10470, CVSS Score: 9.8), which could allow unauthenticated threat actors to read and delete arbitrary files, potentially leading to code execution.
Specifically, the theme prior to version 4.963 is “vulnerable to arbitrary file reading and deletion due to insufficient file path and permission validation,” allowing unauthenticated attackers to delete arbitrary files on the server.
“This allows an unauthenticated attacker to read and delete any arbitrary file on the server, including the site’s wp-config.php file,” it said. said. “Deleting wp-config.php forces the site into a configuration state, which allows an attacker to initiate a site hijack by connecting it to a database under their control.”
