Tech News
Really Simple Security Plugin Flaw Risks 4M+ WordPress Sites
Heads up, WordPress admins! The WordPress plugin Really Simple Security had a serious security flaw. Exploiting this vulnerability would allow an adversary to gain administrative access to the target website. Users must ensure their sites are updated with the latest plugin release to avoid potential threats.
Critical Security Flaw Found In Really Simple Security WordPress Plugin
According to a recent post from the security service Wordfence, a critical vulnerability threatened the security of millions of websites globally as it affected the plugin Really Simple Security.
As explained, the vulnerability, CVE-2024-10924, was an authentication bypass in plugin versions 9.0.0 to 9.1.1.1. It existed due to improper handling of user check errors in the two-factor REST API actions with the ‘check_login_and_get_user
‘ function. Explaining the exact matter, the post reads,
The most significant problem and vulnerability is caused by the fact that the function returns a
WP_REST_Response
error in case of a failure, but this is not handled within the function. This means that even in the case of an invalid nonce, the function processing continues and invokesauthenticate_and_redirect()
, which authenticates the user based on the user id passed in the request, even when that user’s identity hasn’t been verified.
This vulnerability received a critical severity rating and a CVSS score of 9.8. If two-factor authentication is enabled, an unauthenticated adversary could exploit this flaw to sign in as an authenticated user. Such logins would require no account passwords or validation checks for the attacker. In the case of targeting an administrator account, the adversary could gain explicit access to the target website.
Interestingly, this exploit is only possible with the two-factor authentication enabled, which is a generally recommended authentication safety measure.
Patch Deployed Across Most Websites
Upon discovering the vulnerability, Wordfence informed the plugin developers and addressed it with their firewall. In response, the vendors quickly developed a fix and released it with the plugin version 9.1.2.
Given this plugin’s huge userbase (over 4 million active installations, according to the official listing), it was crucial for all users to patch their websites immediately to avoid any threats. Thus, the vendors also coordinated with the WordPress plugins team to force-patch the websites running the vulnerable plugin versions.
Nonetheless, all WordPress admins should still manually check their sites for the latest plugin release out of caution.
Let us know your thoughts in the comments.
-
Destination3 months ago
Singapore Airlines CEO set to join board of Air India, BA News, BA
-
Tech News7 months ago
Bangladeshi police agents accused of selling citizens’ personal information on Telegram
-
Motivation6 months ago
The Top 20 Motivational Instagram Accounts to Follow (2024)
-
Guides & Tips5 months ago
Have Unlimited Korean Food at MANY Unlimited Topokki!
-
Guides & Tips5 months ago
Satisfy Your Meat and BBQ Cravings While in Texas
-
Gaming4 months ago
The Criterion Collection announces November 2024 releases, Seven Samurai 4K and more
-
Self Development7 months ago
Don’t Waste Your Time in Anger, Regrets, Worries and Grudges
-
Toys6 months ago
15 of the Best Trike & Tricycles Mums Recommend