A severe security flaw (CVE-2024-10924) has been discovered in the Really Simple Security WordPress plugin, affecting over 4 million websites. This vulnerability received a critical CVSS score of 9.8.
Key Points:
– The vulnerability affects both free and premium versions (9.0.0 to 9.1.1.1)
– It allows unauthorized users to gain full administrative access
– The issue specifically occurs when two-factor authentication is enabled
– The vulnerability is automatable, making large-scale attacks possible
Resolution:
– Patched in version 9.1.2 (released November 2024)
– WordPress implemented forced updates to protect vulnerable sites
Technical Details:
The flaw stems from improper handling of user authentication checks in the “check_login_and_get_user” function, allowing attackers to bypass security measures and login as any user, including administrators.
Additional Security Context:
A separate critical vulnerability (CVE-2024-10470) was also found in the WPLMS Learning Management System for WordPress, which could allow:
– Unauthorized file access and deletion
– Potential system compromise through wp-config.php manipulation
– Site takeover through database reconnection
Recommended Action:
Users should ensure their Really Simple Security plugin is updated to version 9.1.2 or later to maintain site security.