A significant authentication bypass vulnerability has been revealed in the Really Simple Security plugin for WordPress, previously known as Really Simple SSL. This security flaw poses a serious threat, as it allows a malicious actor to remotely obtain full administrative access to affected websites, potentially compromising sensitive data and functionalities.
Classified as CVE-2024-10924 with a Critical Vulnerability Score of 9.8 under the CVSS system, this vulnerability impacts both the free and premium iterations of the plugin, which is currently installed on over four million WordPress sites. According to Wordfence security researcher István Márton, the vulnerability is particularly concerning due to its scriptable nature, facilitating large-scale automated attacks aimed at WordPress installations.
The vulnerability was responsibly disclosed on November 6, 2024, and a patch was made available in version 9.1.2 released shortly thereafter. In light of the potential for exploitation, plugin maintainers collaborated with WordPress to apply forced updates to all installations of the plugin prior to the public announcement.
The root of this authentication bypass stems from inadequate user verification error handling within a function titled “check_login_and_get_user.” This oversight permits unauthenticated individuals to log in as any user, including those with administrator privileges, even when two-factor authentication (2FA) is enabled. Márton remarked that the insecure implementation of 2FA creates a significant vulnerability, enabling unauthorized access through a straightforward request.
The ramifications of this vulnerability are profound, as successful exploits could lead to the hijacking of WordPress sites, allowing malicious users to leverage these platforms for nefarious purposes. This revelation arrives on the heels of another critical issue within the WPLMS Learning Management System for WordPress (CVE-2024-10470), which could also allow unauthenticated attackers to retrieve and delete arbitrary files, thereby heightening security concerns across the board.
This recent incident highlights the ongoing cybersecurity risks faced by WordPress users and the crucial need for vigilance in managing software updates and security patches. Businesses relying on WordPress for their online presence should ensure that their plugins are up to date and remain aware of potential vulnerabilities that may arise in popular platforms.
While no specific country is identified as being targeted, the global reach of WordPress installations heightens the urgency for organizations to adopt robust cybersecurity measures. The tactics that may have been employed in the exploitation of this vulnerability fall within the MITRE ATT&CK framework, specifically concerning techniques associated with initial access and privilege escalation, indicating the critical need for comprehensive security strategies to thwart potential attacks.
As the cybersecurity landscape continues to evolve, business owners must remain informed about vulnerabilities in the tools they utilize and take proactive measures to protect their digital assets. The unfolding implications of these security flaws cannot be overstated, as they represent both a substantial risk to site integrity and a significant opportunity for cybersecurity improvement across the sector.
The discourse surrounding these vulnerabilities underscores the critical importance of ongoing vigilance in cybersecurity practices. As businesses leverage digital platforms, they must remain cognizant of the ever-evolving threat landscape and the implications of vulnerabilities that could compromise their operations.
