A vulnerability in the WordPress security plugin threatens millions of sites

Reported by Wordfence, its security team discovered a critical authentication bypass vulnerability in the Really Simple Security plugin (formerly known as Really Simple SSL), which includes both free and paid (pro) versions, and has been used on over 4 million websites. This plugin is designed to enhance security on the WordPress platform with features such as SSL configuration, login protection, two-factor authentication (2FA), and real-time vulnerability detection.

This vulnerability is one of the most serious in the 12-year history of WordPress security provided by our team. This vulnerability allows attackers to gain full remote administrative access to sites running the plugin.

To make matters worse, this vulnerability allows for mass exploitation using automated scripts, potentially leading to large-scale website takeover campaigns.

Wordfence suggests that hosting providers force-update plugins on customer sites and scan their databases to ensure no one is running vulnerable versions.

2FA that leads to weaker security

On November 6, 2024, István Márton from Wordfence discovered a critical severity flaw known as CVE-2024-10924. This flaw occurs due to improper handling of user verification errors in the two-factor-authentication (2FA) of the REST API plugin, which allows unauthorized access to any user account, including administrators.

Specifically, the issue lies in the ‘check_login_and_get_user()’ function, which verifies the user’s identity by checking the ‘user_id’ and ‘login_nonce’ parameters. When the ‘login_nonce’ is invalid, the request is not rejected as it should be. On the contrary, ‘authenticate_and_redirect()’ verifies the user solely based on ‘user_id’, which effectively allows authentication bypass.

This vulnerability critically affects site owners who have enabled “two-factor authentication (2FA)”. CVE-2024-10924 affects plugin versions from 9.0.0 up to 9.1.11.1 of the “free,” “pro,” and “pro multisite” releases.

The developer addressed the defect by ensuring that the code now correctly handles failed ‘login_nonce’ verification, exiting the ‘check_login_and_get_user()’ function immediately.

The Wordfence firewall rule detects the malicious REST API action and blocks the request

The developers implemented a fix in version 9.1.2, which was released on November 12 for paid (pro) users and November 14 for free users. The vendor coordinated with WordPress.org to implement a forced security update for plugin users, but website administrators still need to check and ensure they are running the latest version (9.1.2). Paid (pro) version users must manually update to version 9.1.2 because automatic updates are disabled when their license expires.

On December 17, 2024, the WordPress.org statistics site, which monitors the installations of the free version of the plugin, showed around 960,000 downloads.

Source:
https://www.bleepingcomputer.com/news/security/security-plugin-flaw-in-millions-of-wordpress-sites-gives-admin-access/
https://www.wordfence.com/blog/2024/11/really-simple-security-vulnerability/
https://www.wordfence.com/threat-intel/vulnerabilities/detail/really-simple-security-free-pro-and-pro-multisite-900-9111-authentication-bypass
https://www.ionix.io/blog/cve-2024-10924-explained-security-plugin-flaw-in-millions-of-wordpress-sites/
https://wordpress.org/plugins/really-simple-ssl/advanced/
https://www.cve.org/CVERecord?id=CVE-2024-10924