Critical Authentication Bypass in ‘Really Simple Security’ WordPress Plugin

ISGroup Cybersecurity

CVE-2024-10924 is a critical vulnerability affecting the Really Simple Security plugin for WordPress, including both the free and Pro versions. With over four million active installations, this plugin provides SSL configuration, login protection, two-factor authentication (2FA), and real-time vulnerability detection. Discovered by Wordfence on November 6, 2024, the flaw compromises authentication processes, allowing attackers to bypass security measures and gain full administrative access to affected websites.

Productreally-simple-ssl
Date2024-11-20 15:56:24
Information
  • Trending
  • Fix Available
  • Active Exploitation

Technical Summary

The vulnerability stems from improper handling of the login_nonce parameter in the plugin’s REST API actions for two-factor authentication. When this value is invalid, the authentication process falls back to using only the user_id parameter, effectively allowing unauthorized access. The flaw affects plugin versions 9.0.0 through 9.1.1.1, including the free, Pro, and Pro Multisite editions. Although 2FA is disabled by default, many administrators enable it to strengthen security—ironically increasing the exploitable attack surface. Attackers can use automated scripts to target multiple websites simultaneously, making this a high-risk, large-scale threat. The issue was resolved in version 9.1.2 by correcting the function to ensure it terminates properly if the login_nonce verification fails. Patches were released on November 12 (Pro version) and November 14 (free version).

Recommendations

Update to version 9.1.2 or later:

  • Pro users must perform a manual update if automatic updates are disabled due to an expired license.
  • Free version users should verify that their site has received the forced update from WordPress.org.

[Callforaction-THREAT-Footer]