Really Simple Security Plugin Flaw Risks 4M+ WordPress Sites

Heads up, WordPress admins! The WordPress plugin Really Simple Security had a serious security flaw. Exploiting this vulnerability would allow an adversary to gain administrative access to the target website. Users must ensure their sites are updated with the latest plugin release to avoid potential threats.

Critical Security Flaw Found In Really Simple Security WordPress Plugin

According to a recent post from the security service Wordfence, a critical vulnerability threatened the security of millions of websites globally as it affected the plugin Really Simple Security.

As explained, the vulnerability, CVE-2024-10924, was an authentication bypass in plugin versions 9.0.0 to 9.1.1.1. It existed due to improper handling of user check errors in the two-factor REST API actions with the ‘check_login_and_get_user‘ function. Explaining the exact matter, the post reads,

The most significant problem and vulnerability is caused by the fact that the function returns a WP_REST_Response error in case of a failure, but this is not handled within the function. This means that even in the case of an invalid nonce, the function processing continues and invokes authenticate_and_redirect(), which authenticates the user based on the user id passed in the request, even when that user’s identity hasn’t been verified.

This vulnerability received a critical severity rating and a CVSS score of 9.8. If two-factor authentication is enabled, an unauthenticated adversary could exploit this flaw to sign in as an authenticated user. Such logins would require no account passwords or validation checks for the attacker. In the case of targeting an administrator account, the adversary could gain explicit access to the target website.

Interestingly, this exploit is only possible with the two-factor authentication enabled, which is a generally recommended authentication safety measure.

Patch Deployed Across Most Websites

Upon discovering the vulnerability, Wordfence informed the plugin developers and addressed it with their firewall. In response, the vendors quickly developed a fix and released it with the plugin version 9.1.2.

Given this plugin’s huge userbase (over 4 million active installations, according to the official listing), it was crucial for all users to patch their websites immediately to avoid any threats. Thus, the vendors also coordinated with the WordPress plugins team to force-patch the websites running the vulnerable plugin versions.

Nonetheless, all WordPress admins should still manually check their sites for the latest plugin release out of caution.

Let us know your thoughts in the comments.