Critical flaw found in ‘Really Simple Security’ WordPress plugin, risking 4M+ sites. CVE-2024-10924 allows potential remote attacks and unauthorized admin access.
CVE-2024-10924
The vulnerability impacts versions 9.0.0 to 9.1.1.1 of the Simple Security plugin, including Pro and Pro Multisite. Attackers can exploit an authentication bypass to access any user account, including admin, if ‘Two-Factor Authentication’ is enabled.
The flaw is due to improper handling of user verification in the plugin’s two-factor REST API. It has a high CVSS score of 9.8, marking it as ‘Critical.’
This vulnerability lets attackers access privileged accounts and fully control affected websites. A large-scale attack could target millions of WordPress sites worldwide.
On November 6, 2024, Wordfence identified the vulnerability and began working closely with the plugin’s developer to address the issue. The developer acted quickly, releasing a patched version (9.1.2) on November 14, 2024. To enhance security, the WordPress.org plugins team initiated a forced update to automatically upgrade most sites to the secure version.
However, website owners are still encouraged to manually verify that their plugins are updated to version 9.1.2 or higher, as sites running older versions remain at risk. With over 4 million websites depending on this essential plugin, administrators should check their WordPress installations and apply the update promptly to ensure full protection.
Users of the Pro and Pro Multisite versions without auto-update should manually install the latest patch to secure their sites.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment