Introduction

A significant vulnerability has been uncovered in the widely used WordPress plugin "Really Simple Security," which could potentially give cybercriminals full administrative access to countless websites. This includes both its free and Pro editions, which combined, are installed on over four million sites worldwide.

The Vulnerability

The flaw, identified by security experts at Wordfence, is one of the gravest vulnerabilities reported in the platform's history. Dubbed CVE-2024-10924, this critical authentication bypass vulnerability allows unauthorized users to exploit the plugin remotely and take control of affected sites.

What Makes This Vulnerability So Dangerous?

The vulnerability originates from improper authentication handling within the plugin's two-factor authentication (2FA) REST API functions. When a user's 'login_nonce' (a security token meant to verify user identity) is incorrect, the system does not appropriately reject the request. Instead, it allows access based solely on 'user_id,' creating a pathway for attackers to bypass security measures effortlessly.

This issue is particularly alarming because it can be exploited on a large scale using automated scripts, leading to potential mass takeovers of various websites. Wordfence recommends that web hosting providers implement force updates of the plugin for all customers and conduct comprehensive database scans to prevent risks from vulnerable versions.

Who is Affected?

The flaw impacts plugin versions ranging from 9.0.0 to 9.1.1.1, including all functionalities available in both free and Pro licenses, as well as the Pro Multisite version. Website administrators using these versions need to act quickly to safeguard their sites.

The Fix

In response to the discovered vulnerability, the developers have released a fix in version 9.1.2 of the plugin. This update, which was rolled out on November 12 for Pro users and November 14 for free users, ensures that if a 'login_nonce' verification fails, the system exits the function immediately, preventing any unauthorized access.

Urgent Steps to Take

Despite efforts from the vendor to coordinate with WordPress.org for forced security updates, it is crucial for all website administrators to verify that they are running the latest version of the plugin (9.1.2). Users of the Pro version, in particular, need to note that their automatic updates may be disabled once their license expires, making manual updates essential.

Don't wait until it’s too late! Ensure your WordPress site is protected by updating to the latest version and educate your team about the importance of robust password and authentication practices in maintaining security. Cybersecurity threats are relentless, and staying ahead is the only way to keep your website and data safe.