Critical Vulnerability in WordPress Plugin Puts Over 4 Million Websites at Risk of Remote Control

410/67 Tuesday, November 19, 2024

A significant security vulnerability has recently been disclosed in the Really Simple Security plugin (formerly Really Simple SSL) for WordPress websites. This vulnerability, if exploited, could allow attackers to gain remote administrative access. The vulnerability, identified as CVE-2024-10924, has been assigned a CVSS severity score of 9.8.

The flaw affects both the free and premium versions of the Really Simple Security plugin, which is installed on over 4 million WordPress websites. The issue stems from an error in the “check_login_and_get_user” function, enabling unauthenticated attackers to log in as any user, including administrators, even when two-factor authentication (2FA) is enabled. Security researcher István Márton from Wordfence explained, “The newly added two-factor authentication feature contains a vulnerability that allows attackers to log in as administrators by simply sending a basic request.”

Following the disclosure on November 6, 2024, the vulnerability was patched in version 9.1.2 of the plugin, which was released within a week. To prevent exploitation, WordPress administrators and the plugin team enforced updates on all affected websites before publicizing the details. Users of versions 9.0.0 through 9.1.1.1 are strongly advised to update to the latest version immediately and to check their websites for suspicious activities.

This vulnerability could be exploited in large-scale automated attacks to compromise multiple websites simultaneously. Successful exploitation might allow attackers to take control of WordPress websites and use them for malicious purposes, such as distributing malware or stealing data.

To mitigate potential risks, website administrators should consistently update plugins and themes to their latest versions, utilize web application firewalls (WAF), and conduct regular security audits to safeguard their websites.

Source https://thehackernews.com/2024/11/urgent-critical-wordpress-plugin.html