A major security vulnerability has been recently uncovered in the Really Simple Security plugin (previously known as Really Simple SSL), which is widely used across millions of WordPress websites. The plugin offers several features, including SSL setup, login protection, two-factor authentication (2FA), and instant security scans.
The vulnerability, identified as CVE-2024-10924, allows attackers to bypass security measures and gain admin access to affected sites. Both free and paid versions of the plugin are impacted, exposing these websites to significant risks. This flaw affects versions 9.0.0 through 9.1.1.1, regardless of their subscription type.
What Does This Mean?
This vulnerability enables hackers to:
- Gain full control over affected websites.
- Alter or disable website content.
- Steal sensitive user data.
- Deploy automated bots to target numerous websites simultaneously.
Details of the Vulnerability
The flaw originates from a malfunction in the two-factor authentication (2FA) process within the plugin:
- A function called check_login_and_get_user() fails to reject invalid login attempts.
- When a user enters an incorrect login_nonce, the plugin mistakenly grants access using the user ID alone.
- This issue turns what should be a security enhancement into a significant weak point.
How to Protect Your Website
To safeguard your site, follow these steps:
- Update the plugin immediately to version 9.1.2 or later.
- Review your website’s database and activity logs for any suspicious behavior.
- If you are using an older version, consider temporarily disabling the two-factor authentication feature until the update is completed.
- Regularly maintain updated backups of your website.
This vulnerability highlights the importance of keeping plugins up to date and continuously monitoring website security. If you lack the technical expertise to handle updates, consider seeking assistance from your hosting provider or a WordPress specialist to ensure your site is secure.
