Hi all,
A critical vulnerability recently discovered in the "Really Simple Security" plugin (formerly Really Simple SSL) has put over 4 million WordPress sites at risk. This flaw tracked as CVE-2024-10924 with a CVSS score of 9.8, allows unauthorized users to bypass authentication and gain full administrator access. The issue stems from improper error handling in the plugin's two-factor authentication (2FA) feature, specifically within its REST API, where a failed verification does not prevent access. Consequently, attackers can assume any user role, including that of an admin, enabling a complete site takeover.
The vulnerability was disclosed by WordPress security company Defiant, who worked with the plugin's developers to address the issue. A forced security update, version 9.1.2, was issued on November 12 for both free and pro versions. Site administrators using the plugin should confirm they are using the updated version to mitigate the risk of exploitation. This vulnerability highlights the critical importance of secure 2FA implementations, as such issues can severely impact website integrity if not correctly addressed.
Administrators using the Really Simple Security plugin should update their version promptly to avoid potential attacks from unauthorized access.
A critical vulnerability recently discovered in the "Really Simple Security" plugin (formerly Really Simple SSL) has put over 4 million WordPress sites at risk. This flaw tracked as CVE-2024-10924 with a CVSS score of 9.8, allows unauthorized users to bypass authentication and gain full administrator access. The issue stems from improper error handling in the plugin's two-factor authentication (2FA) feature, specifically within its REST API, where a failed verification does not prevent access. Consequently, attackers can assume any user role, including that of an admin, enabling a complete site takeover.
The vulnerability was disclosed by WordPress security company Defiant, who worked with the plugin's developers to address the issue. A forced security update, version 9.1.2, was issued on November 12 for both free and pro versions. Site administrators using the plugin should confirm they are using the updated version to mitigate the risk of exploitation. This vulnerability highlights the critical importance of secure 2FA implementations, as such issues can severely impact website integrity if not correctly addressed.
Administrators using the Really Simple Security plugin should update their version promptly to avoid potential attacks from unauthorized access.