A critical authentication bypass vulnerability has been discovered impacting the WordPress plugin ‘Really Simple Security’ (formerly ‘Really Simple SSL’), including both free and Pro versions.

Really Simple Security is a security plugin for the WordPress platform, offering SSL configuration, login protection, a two-factor authentication layer, and real-time vulnerability detection. Its free version alone is used in over four million websites.

Wordfence, which publicly disclosed the flaw, calls it one of the most severe vulnerabilities reported in its 12-year history, warning that it allows remote attackers to gain full administrative access to impacted sites.

To make matters worse, the flaw can be exploited en masse using automated scripts, potentially leading to large-scale website takeover campaigns.

Such is the risk that Wordfence proposes that hosting providers force-update the plugin on customer sites and scan their databases to ensure nobody runs a vulnerable version.

2FA leading to weaker security

The critical severity flaw in question is CVE-2024-10924, discovered by Wordfence’s researcher István Márton on November 6, 2024.

It is caused by improper handling of user authentication in the plugin’s two-factor REST API actions, enabling unauthorized access to any user account, including administrators.

Specifically, the problem lies in the ‘check_login_and_get_user()’ function that verifies user identities by checking the ‘user_id’ and ‘login_nonce’ parameters.

When ‘login_nonce’ is invalid, the request isn’t rejected, as it should, but instead invokes ‘authenticate_and_redirect(),’ which authenticates the user based on the ‘user_id’ alone, effectively allowing authentication bypass.

The flaw is exploitable when two-factor authentication (2FA) is enabled, and even though it’s disabled by default, many administrators will allow it for stronger account security.

CVE-2024-10924 impacts plugin versions from 9.0.0 and up to 9.1.1.1 of the “free,” “Pro,” and “Pro Multisite” releases.

The developer addressed the flaw by ensuring that the code now correctly handles ‘login_nonce’ verification fails, exiting the ‘check_login_and_get_user()’ function immediately.

The fixes were applied to version 9.1.2 of the plugin, released on November 12 for the Pro version and November 14 for free users.

The vendor coordinated with WordPress.org to perform force security updates on users of the plugin, but website administrators still need to check and ensure they’re running the latest version (9.1.2).

Users of the Pro version have their auto-updates disabled when the license expires, so they must manually update 9.1.2.

As of yesterday, the WordPress.org stats site, which monitors installs of the free version of the plugin, showed approximately 450,000 downloads, leaving 3,500,000 sites potentially exposed to the flaw.