A critical authentication bypass vulnerability has been disclosed in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress that, if successfully exploited, could grant an attacker to remotely gain full administrative access to a susceptible site.
The vulnerability, tracked as CVE-2024-10924 (CVSS score: 9.8), impacts both free and premium versions of the plugin. The software is installed on over 4 million WordPress sites.
"The vulnerability is scriptable, meaning that it can be turned into a large-scale automated attack, targeting WordPress websites," Wordfence security researcher István Márton said.
Following responsible disclosure on November 6, 2024, the shortcoming has been patched in version 9.1.2 released a week later. This risk of possible abuse has prompted the plugin maintainers to work with WordPress to force-update all sites running this plugin prior to public disclosure.
According to Wordfence, the authentication bypass vulnerability, found in versions 9.0.0 to 9.1.1.1, arises from improper user check error handling in a function called "check_login_and_get_user," thereby allowing unauthenticated attackers to login as arbitrary users, including administrators, when two-factor authentication is enabled.
"Unfortunately, one of the features adding two-factor authentication was insecurely implemented making it possible for unauthenticated attackers to gain access to any user account, including an administrator account, with a simple request when two-factor authentication is enabled," Márton said.
Successful exploitation of the vulnerability could have serious consequences, as it could permit malicious actors to hijack WordPress sites and further use them for criminal purposes.
The disclosure comes days after Wordfence revealed another critical shortcoming in the WPLMS Learning Management System for WordPress, WordPress LMS (CVE-2024-10470, CVSS score: 9.8) that could enable unauthenticated threat actors to read and delete arbitrary files, potentially resulting in code execution.
Specifically, the theme, prior to version 4.963, is "vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks," allowing unauthenticated attackers to delete arbitrary files on the server.
"This makes it possible for unauthenticated attackers to read and delete any arbitrary file on the server, including the site's wp-config.php file," it said. "Deleting wp-config.php forces the site into a setup state, allowing an attacker to initiate a site takeover by connecting it to a database under their control."