Urgent Security Flaw in WordPress Plugin Affects Over 4 Million Sites
Judging by the urgency of the statement, the extremely popular Really Simple Security, including its other name Really Simple SSL, WordPress plugin has been detected to have an authentication bypass vulnerability. If this exploitation is used, unauthorized individuals can have complete administrative control over these breached websites and it means that millions of WordPress sites are at elevated risk of being hacked and sustain loss.
Vulnerability Description
According to the information obtained by MWR Cyber, the vulnerability will be registered as CVE-2024-10924 and the associated Common Vulnerability Scoring System (CVSS) score is 9.8 which implies that it poses a high level of risk. The problem affects all versions of the plugin and more than four million websites that use it, both the free and the paid ones. Such risk becomes much more pronounced due to a very active use of the plugin among wordpress users.
Description of the Cause of the Vulnerability
The issue has its roots in a defect in the user check error handling that is in the check_login_and_get_user given below. This particular error allows an attacker to log in if he is not authenticated irrespective of whether that person is an admin user. This type of flaw, which can make it easy to carry out complex attacks such as waiving 2FA checks, can be potentially automated and could lead to massive exploitation of vulnerable WordPress deployments.
Patch Information, Including What Time the Patch Was Implemented
In accordance with the principles and best practices of operational security, the team of authors who identified the vulnerability responsibly disclosed the discovery on November 6, 2024, and thankfully the developers quickly responded with version 9.1.2 emergency release on November 13, 2024. The developers of the plugin with the support of WordPress, ensured that all sites with the vulnerable version of the plugin were updated forcibly before the public disclosure which ‘emphasizes the nature’ of this flaw.
Expert Insights
The company called Wordfence Technologies, which is a popular cybersecurity supplier, commented on the seriousness of this security flaw. In particular, Mr. István Márton, a security expert, and his team observed that, “Unfortunately, the secure feature of adding two-factor authentication turned out to be more insecure than it should be and allowed the attacker without any authentication to take over the accounts of any users (including the administrator accounts) over a simple request when two-factor authentication was enabled.”
Anticipated Pitfalls That May Incur Losses
This imperfection, if any, may trigger unauthorized takeover of websites. This may – with and be utilized in crimes too. It is pertinent to take note that this menace crops up only after a case of more severe vulnerability was detected in the LMS plugin- WPLMS WordPress which was identified as CVE-2024-10470 and also bring significant risks of users’ site data manipulation.
Comparison with Other Recent Vulnerabilities
| Vulnerability | Affected Plugin | CVE ID | CVSS Score | Description |
|---|---|---|---|---|
| Authentication Bypass | Really Simple Security | CVE-2024-10924 | 9.8 | Allows unauthenticated attackers to gain administrative access when two-factor authentication is enabled. |
| Arbitrary File Deletion | WPLMS Learning Management System | CVE-2024-10470 | 9.8 | Enables unauthenticated attackers to read and delete arbitrary files on the server, risking code execution. |
Closing Remarks
The recent successes of breaches showed that the different teams in charge of securing WordPress sites must ensure that they react promptly to updating third-party functions whenever necessary. Defending the software meanwhile would need more urgency and growth, as they used the existing device/software.
Nowadays cyber techniques are dynamic and therefore security awareness and protection and prevention techniques are very paramount in protection of digital assets.
