Identity & Access Management,
Security Operations
Significant Authentication Vulnerability Affects Millions of WordPress Users
A critical security flaw has been discovered in a popular five-in-one security plugin for WordPress, putting over 4 million sites at risk of automated hacking attacks. The vulnerability, identified as CVE-2024-10924, has been classified by Wordfence, a firm specializing in WordPress security, as one of the most serious issues reported in their twelve years of operations.
This authentication bypass vulnerability exploits a now-resolved flaw in the Really Simple Security plugin. WordPress.org initiated mandatory updates on November 18, urging users to confirm that their sites have been updated to the secured version 9.1.2. The flaw affects not just the free version but also the Pro and Pro Multisite editions, revealing the wide reach of this critical issue.
The vulnerability arose from inadequate user verification handling in the plugin’s two-factor authentication system, which operates via the REST API. Notably, this flaw only impacts plugins that activate two-factor authentication for login, a feature that is disabled by default in the plugin settings. The Really Simple Security plugin offers various functions essential for managing website certificates, detecting vulnerabilities, and enhancing WordPress security.
The heart of the problem lies in an error in how the plugin managed error messages during two-factor authentication failures. Without proper error handling, a malicious actor could bypass authentication and maintain login access even with invalid credentials. As noted by Wordfence, the function would continue execution despite an invalid nonce, allowing unauthorized users to log in based purely on user ID requests without proper identity verification.
Wordfence disclosed the vulnerability to the plugin’s developers on November 6, highlighting its potential for exploitation through scripted attacks, as indicated by its alarming 9.8 score on the ten-point CVSS scale. This rating underscores the risk of a widespread automated assault on affected sites, emphasizing the urgent need for timely patching and user vigilance.
Given the nature of this vulnerability, adversary tactics consistent with the MITRE ATT&CK framework could be applicable. Techniques related to initial access, particularly through credential dumping and exploitation of public-facing applications, might be relevant in this context. Furthermore, the exploit could enable persistence on compromised systems, following successful initial access.
As cyber threats evolve and become increasingly sophisticated, maintaining robust security measures is paramount for all WordPress site owners. The lessons learned from this incident serve as a critical reminder to prioritize updates and security practices to mitigate potential risks.
