What You Need to Know About Really Simple Security

RSecurity serves as a crucial tool for WordPress users, providing SSL configuration, login protection, and even two-factor authentication (2FA) features. With over four million installations of the free version alone, the potential impact of this vulnerability is staggering.

A Recipe for Disaster: Automated Exploits

The alarming aspect of this vulnerability is its capacity for mass exploitation through automated scripts, raising concerns of widespread website takeover campaigns. This flaw could allow cybercriminals to orchestrate attacks on a massive scale, targeting vulnerable sites with minimal effort.

Inside the Technical Details

Discovered by Wordfence researcher István Márton on November 6, 2024, CVE-2024-10924 is attributed to improper handling of user authentication related to the plugin's two-factor REST API actions. This weakness opens the door to unauthorized access to any user account, including those with administrative privileges.

Who is Affected?

Versions of the RSecurity plugin ranging from 9.0.0 to 9.1.1.1—across free, Pro, and Pro Multisite releases—are vulnerable. The good news is the developer has rolled out a fix. Version 9.1.2 rectifies the flaw by ensuring proper handling of 'login_nonce' verification failures, effectively closing this security gap.

Act Now: Update Your Plugin!

Released on November 12 for Pro users and November 14 for the free version, website administrators must verify they are running the patched version 9.1.2 to safeguard against potential exploitations. It's crucial to note that for Pro version users, auto-updates are disabled post-license expiration, demanding a manual update to maintain security.