By 
Wordfence’s Threat Intelligence team has identified a critical authentication bypass vulnerability affecting over 4 million WordPress sites that are actively using Really Simple Security (formerly Really Simple SSL).
Remote attackers can exploit this security flaw to gain administrator access, even with two-factor authentication enabled.
Vulnerability Profile
- CVE ID: CVE-2024-10924
- CVSS Score: 9.8 (Critical)
- Affected Versions: 9.0.0 – 9.1.1.1 (Free, Pro, and Pro Multisite)
- Fixed Version: 9.1.2
Technical Breakdown
The vulnerability is caused by faulty error handling in the two-factor REST API actions. The check_login_and_get_user function returns a WP_REST_Response error for failed login nonce verification, which isn’t handled.
The code directly authenticates users based on the provided ID, skipping all verification checks.
Vulnerable code:
|
1 2 3 4 5 6 7 |
private function check_login_and_get_user( int $user_id, string $login_nonce ) { if ( ! Rsssl_Two_Fa_Authentication::verify_login_nonce( $user_id, $login_nonce ) ) { return new WP_REST_Response( array( 'error' => 'Invalid login nonce' ), 403 ); } $user = get_user_by( 'id', $user_id ); return $user; } |
Impact
Attackers can:
- Gain unauthorized admin access on any user account
- By using scripts, attackers can automate their malicious activities.
- Completely compromise at-risk websites.
Timeline
- Nov 6, 2024: Vulnerability discovered by Wordfence
- Nov 7, 2024: Vendor notified
- Nov 12, 2024: Pro version patched
- Nov 14, 2024: Free version patched
Required Actions
- If you are using “Really Simple Security”, update to version 9.1.2 immediately
- Consider enabling auto updates
- Check Pro version license status – invalid licenses may block auto-updates, and the plugin needs to be deactivated
- Consider reading our guide “Cybersecurity for WordPress – Strengthen Your App Security with Layers of Defense“
Conclusions
Consider alternatives to these plugins, something like Headers Security Advanced & HSTS WP paired with Wordfense offers useful simple security options that go a long way. Ideally, you can implement these basic security settings directly in the WordPress site, theme, and .htaccess file.
Photo by Lewis Kang’ethe Ngugi on Unsplash.