Critical WordPress Security Flaw Threatens 4M+ Sites with Admin Takeover

Critical WordPress Security Flaw Threatens 4M+ Sites with Admin Takeover

Critical WordPress Security Alert: Really Simple Security Plugin Vulnerability

A severe security flaw (CVE-2024-10924) has been discovered in the Really Simple Security WordPress plugin, affecting over 4 million websites. This vulnerability received a critical CVSS score of 9.8.

Key Points:

– The vulnerability affects both free and premium versions (9.0.0 to 9.1.1.1)

– It allows unauthorized users to gain full administrative access

– The issue specifically occurs when two-factor authentication is enabled

– The vulnerability is automatable, making large-scale attacks possible

Resolution:

– Patched in version 9.1.2 (released November 2024)

– WordPress implemented forced updates to protect vulnerable sites

Technical Details:

The flaw stems from improper handling of user authentication checks in the “check_login_and_get_user” function, allowing attackers to bypass security measures and login as any user, including administrators.

Additional Security Context:

A separate critical vulnerability (CVE-2024-10470) was also found in the WPLMS Learning Management System for WordPress, which could allow:

– Unauthorized file access and deletion

– Potential system compromise through wp-config.php manipulation

– Site takeover through database reconnection

Recommended Action:

Users should ensure their Really Simple Security plugin is updated to version 9.1.2 or later to maintain site security.

Share This Article