A severe authentication bypass vulnerability, CVE-2024-10924, has been found in the WordPress plugin "Really Simple Security" (formerly "Really Simple SSL"). This plugin, used on over four million sites, offers security features like SSL configuration and two-factor authentication (2FA).
Discovered by Wordfence, the flaw is considered among the most severe in its history. It allows attackers to bypass authentication and gain admin access, especially when 2FA is enabled. The issue arises from a faulty 'check_login_and_get_user()' function that improperly handles failed 'login_nonce' checks, authenticating users based solely on their 'user_id.'
Versions 9.0.0 to 9.1.1.1 of the plugin are affected. A patch fixing the vulnerability was released in version 9.1.2 on November 12 and 14 for Pro and free users, respectively. WordPress.org enforced automatic updates, but some sites, particularly those using expired Pro licenses, remain at risk.
Administrators are urged to manually update to version 9.1.2 and confirm that their websites are secure, as millions of sites may still be exposed.
Read more...