Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites
Summary:
According to a blog post by Istvan Marton from Wordfence, over 4 million WordPress sites are exposed to a critical authentication bypass vulnerability in the Really Simple Security plugin for WordPress that can be leveraged to grant an unauthenticated adversary remote administrative access to vulnerable sites. The vulnerability is tracked as CVE-2024-10924 and impacts the free and premium versions of this WordPress security plugin. The researcher elaborated that this is a scriptable vulnerability that can be leveraged for automated large-scale attacks. The vulnerability was disclosed on November 6, 2024, and subsequently patched in version 9.1.2, released last week. CVE-2024-10924 impacts versions 9.0.0 to 9.1.1.1. The vulnerability is exploitable due to improper user check error handling in a function called "check_login_and_get_user" which allows an attacker to successfully login as administrative users when two-factor authentication is enabled. One of these version’s features that added two-factor authentication was insecurely implemented making it possible for unauthenticated attackers to gain access to any user account. By exploiting this critical vulnerability, an adversary can hijack and scrape the site, and then utilize it to continue their malicious campaign.
Analyst Comments:
This disclosure from a Wordfence researcher comes a couple of days after another critical vulnerability in the WordPress LMS, CVE-2024-10470, was revealed to allow arbitrary file read and deletion. It is paramount that defenders stay vigilant of any vulnerabilities in WordPress for any sites built with WordPress within their organization. The fully patched version of the Really Simple Security Free plugin, 9.1.2, was released on November 14, 2024. Installing multiple reputable security plugins could potentially strengthen the security posture of the organization’s site. However, by incorporating multiple security plugins, the attack surface is expanded. Although this is a critical authentication bypass vulnerability and over 4 million WordPress sites are exposed, there is no evidence of active exploitation at this time. This vulnerability only critically affects site owners who have enabled “Two-Factor Authentication” in the plugin settings.
Suggested Corrections:
Organizations using WordPress are encouraged to verify that their sites are updated to the latest patched version of Really Simple Security as soon as possible, considering the critical nature of this vulnerability. Site owners must have “Two-Factor Authentication enabled in the plugin settings to be critically affected.
Link(s):
https://thehackernews.com/2024/11/urgent-critical-wordpress-plugin.html
https://www.wordfence.com/blog/2024/11/really-simple-security-vulnerability/
https://wordpress.org/plugins/really-simple-ssl/
According to a blog post by Istvan Marton from Wordfence, over 4 million WordPress sites are exposed to a critical authentication bypass vulnerability in the Really Simple Security plugin for WordPress that can be leveraged to grant an unauthenticated adversary remote administrative access to vulnerable sites. The vulnerability is tracked as CVE-2024-10924 and impacts the free and premium versions of this WordPress security plugin. The researcher elaborated that this is a scriptable vulnerability that can be leveraged for automated large-scale attacks. The vulnerability was disclosed on November 6, 2024, and subsequently patched in version 9.1.2, released last week. CVE-2024-10924 impacts versions 9.0.0 to 9.1.1.1. The vulnerability is exploitable due to improper user check error handling in a function called "check_login_and_get_user" which allows an attacker to successfully login as administrative users when two-factor authentication is enabled. One of these version’s features that added two-factor authentication was insecurely implemented making it possible for unauthenticated attackers to gain access to any user account. By exploiting this critical vulnerability, an adversary can hijack and scrape the site, and then utilize it to continue their malicious campaign.
Analyst Comments:
This disclosure from a Wordfence researcher comes a couple of days after another critical vulnerability in the WordPress LMS, CVE-2024-10470, was revealed to allow arbitrary file read and deletion. It is paramount that defenders stay vigilant of any vulnerabilities in WordPress for any sites built with WordPress within their organization. The fully patched version of the Really Simple Security Free plugin, 9.1.2, was released on November 14, 2024. Installing multiple reputable security plugins could potentially strengthen the security posture of the organization’s site. However, by incorporating multiple security plugins, the attack surface is expanded. Although this is a critical authentication bypass vulnerability and over 4 million WordPress sites are exposed, there is no evidence of active exploitation at this time. This vulnerability only critically affects site owners who have enabled “Two-Factor Authentication” in the plugin settings.
Suggested Corrections:
Organizations using WordPress are encouraged to verify that their sites are updated to the latest patched version of Really Simple Security as soon as possible, considering the critical nature of this vulnerability. Site owners must have “Two-Factor Authentication enabled in the plugin settings to be critically affected.
Link(s):
https://thehackernews.com/2024/11/urgent-critical-wordpress-plugin.html
https://www.wordfence.com/blog/2024/11/really-simple-security-vulnerability/
https://wordpress.org/plugins/really-simple-ssl/