### #WordPressSecurity #AuthenticationBypass #CVE2024
Summary: A critical authentication bypass vulnerability (CVE-2024-10924) in the Really Simple Security plugin for WordPress could allow attackers to gain full administrative access to over 4 million sites. The vulnerability has been patched, but its potential for large-scale exploitation raises significant security concerns.
Threat Actor: Unauthenticated attackers | unauthenticated attackers
Victim: WordPress sites | WordPress sites
Key Point :
- The vulnerability allows unauthenticated attackers to log in as any user, including administrators, especially when two-factor authentication is enabled.
- It affects both free and premium versions of the Really Simple Security plugin, installed on over 4 million sites.
- The issue arises from improper error handling in user checks, making it scriptable for large-scale automated attacks.
- Wordfence reported the vulnerability following responsible disclosure, leading to a forced update for all affected sites.
- This vulnerability follows another critical flaw in the WPLMS Learning Management System that allows unauthenticated file access and deletion.
A critical authentication bypass vulnerability has been disclosed in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress that, if successfully exploited, could grant an attacker to remotely gain full administrative access to a susceptible site.
The vulnerability, tracked as CVE-2024-10924 (CVSS score: 9.8), impacts both free and premium versions of the plugin. The software is installed on over 4 million WordPress sites.
“The vulnerability is scriptable, meaning that it can be turned into a large-scale automated attack, targeting WordPress websites,” Wordfence security researcher István Márton said.
Following responsible disclosure on November 6, 2024, the shortcoming has been patched in version 9.1.2 released a week later. This risk of possible abuse has prompted the plugin maintainers to work with WordPress to force-update all sites running this plugin prior to public disclosure.
According to Wordfence, the authentication bypass vulnerability, found in versions 9.0.0 to 9.1.1.1, arises from improper user check error handling in a function called “check_login_and_get_user,” thereby allowing unauthenticated attackers to login as arbitrary users, including administrators, when two-factor authentication is enabled.
“Unfortunately, one of the features adding two-factor authentication was insecurely implemented making it possible for unauthenticated attackers to gain access to any user account, including an administrator account, with a simple request when two-factor authentication is enabled,” Márton said.
Successful exploitation of the vulnerability could have serious consequences, as it could permit malicious actors to hijack WordPress sites and further use them for criminal purposes.
The disclosure comes days after Wordfence revealed another critical shortcoming in the WPLMS Learning Management System for WordPress, WordPress LMS (CVE-2024-10470, CVSS score: 9.8) that could enable unauthenticated threat actors to read and delete arbitrary files, potentially resulting in code execution.
Specifically, the theme, prior to version 4.963, is “vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks,” allowing unauthenticated attackers to delete arbitrary files on the server.
“This makes it possible for unauthenticated attackers to read and delete any arbitrary file on the server, including the site’s wp-config.php file,” it said. “Deleting wp-config.php forces the site into a setup state, allowing an attacker to initiate a site takeover by connecting it to a database under their control.”
Source: https://thehackernews.com/2024/11/urgent-critical-wordpress-plugin.html