CVE-2024-10924 (CVSS 9.8): Authentication Bypass in Really Simple Security Plugin Affects 4 Million Sites
The Wordfence Threat Intelligence team identified a severe authentication bypass vulnerability (CVE-2024-10924) in the Really Simple Security plugin, including its Pro and Pro Multisite versions. This vulnerability, which affects over 4 million WordPress sites worldwide, is classified as critical with a CVSS score of 9.8. If exploited, it could allow attackers to gain unauthorized access to any account on a website, including administrator accounts, whenever two-factor authentication is enabled.
Discovered by István Márton of the Wordfence Threat Intelligence team on November 6th, 2024, the vulnerability stems from an insecure implementation of the plugin’s two-factor authentication feature.
“Unfortunately, one of the features adding two-factor authentication was insecurely implemented making it possible for unauthenticated attackers to gain access to any user account, including an administrator account, with a simple request when two-factor authentication is enabled,” Márton explained in the vulnerability report.
The technical details reveal a flaw in how the plugin handles authentication via its REST API.
“The most significant problem and vulnerability is caused by the fact that the function returns a WP_REST_Response error in case of a failure, but this is not handled within the function,” the report states. This essentially means that even if a user provides incorrect authentication details, the plugin could still grant them access.
CVE-2024-10924 has a CVSS score of 9.8, classifying it as critical. An attacker could exploit this flaw to gain access to any account on a vulnerable website, including administrator accounts, leading to a complete site takeover.
“This makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plugin,” states Márton.
Wordfence and the Really Simple Plugins team have been proactive in minimizing the risk of exploitation. Users should verify that they are running the latest version of Really Simple Security (version 9.1.2) and that their site has been updated, especially if they are using version 9.0.0 or newer. Wordfence emphasizes that “we urge users to verify that their sites were updated to the latest patched version… as soon as possible.”
