Skip to content

Really Simple Security plugin flaw affects 4 million websites

  • by
  • 2 min read

A critical security flaw, CVE-2024-10924, in the Really Simple Security plugin for WordPress potentially exposed more than four million websites to unauthorised access. The plugin released the latest version, 9.1.2, with a fix to patch the flaw.

The vulnerability, classified as an authentication bypass, affects the free and pro versions of Really Simple Security in plugin versions 9.0.0 to 9.1.1. It allows attackers to remotely access any user account, including administrator accounts, on sites with two-factor authentication (2FA) enabled.

The vulnerability has been assigned a critical score of 9.8.

The problem originates in the plugin’s two-factor authentication system, specifically within a REST API function responsible for user verification. A misstep in handling user validation could allow unauthenticated users to bypass the two-factor check and log in as existing user, potentially exposing sensitive data and complete control over the affected website.

While the two-factor authentication setting is disabled by default, this risk significantly impacts any site administrators who have activated it.

The vulnerability stems from improper error handling within the ‘check_login_and_get_user()’ function, which is responsible for verifying users. The function does not properly address errors; thus, an invalid nonce still results in users authentication.

This oversight enables unauthorised access, exposing user accounts and overall site integrity to compromise.

Researchers have advised users to immediately patch to the latest version.

In April 2024, more than one million WordPress websites were affected by the LayerSlider bug. A few months later, four more WordPress plugins — WP Server Health, Ad Invalid Click Protector, PowerPress Podcasting plunging by Blubrry, and SEO Optimised Images — were hit by supply chain attacks.

Another set of five WordPress plugins was affected by a flaw that allowed attackers to create new administrative accounts and control the compromised websites.

Furthermore, an Arbitrary Options Update Flaw in the Login/Signup Popup plugin exposed more than 40,000 websites to a significant takeover.

In the News: LLM-driven robots face 100% jailbreak risks, raising safety alarms

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of dark web hacker security

Security flaw in Dahua CCTVs allows remote access

This is an image of python windows featured

Hackers are targeting Python developers with fake PyPI sites

This is an image of apple featured 2323424823

Apple patches Safari bug; Already exploited in Chrome

This is an image of dark web hacker security

Vibe coding platform breach exposes corporate apps

This is an image of dark web hacker security

Fake apps are stealing data blackmailing users on Asian mobile networks

This is an image of ransomware 32988sd

FBI collects dues from Chaos ransomware gang; $2.4 million in crypto seized

>