A severe authentication bypass vulnerability has been discovered in the widely-used WordPress plugin Really Simple Security (formerly Really Simple SSL), potentially exposing approximately 4 million websites to unauthorized access. Security researchers at Defiant have classified this vulnerability as one of the most critical security issues identified in WordPress plugins over the past decade.
Understanding the Critical Vulnerability
The vulnerability, tracked as CVE-2024-10924, has received a critical CVSS score of 9.8, indicating its severe nature. The security flaw affects Really Simple Security versions 9.0.0 through 9.1.1.1, impacting both free and premium editions (Pro and Pro Multisite). The core issue enables attackers to bypass authentication mechanisms and potentially gain unauthorized administrative access to affected websites.
Technical Analysis of the Security Flaw
The vulnerability stems from a flawed implementation of user authentication mechanisms and insecure handling of REST API requests. Sites utilizing two-factor authentication (2FA) are particularly vulnerable to this security breach. The technical investigation revealed that the check_login_and_get_user() function validates users based on user_id and login_nonce parameters. However, when presented with an invalid login_nonce, the system fails to reject the request properly, instead delegating authentication to the authenticate_and_redirect() function, which only verifies the user_id parameter.
Impact Assessment and Mitigation Measures
According to official statistics, approximately 3.5 million websites remain potentially vulnerable to exploitation. The Really Simple Security development team, in collaboration with WordPress.org, has initiated an emergency forced update campaign to address this critical security issue. Security patches were released on November 12th for the free version and November 14th for Pro editions, upgrading the plugin to version 9.1.2.
Website administrators utilizing Really Simple Security must take immediate action to protect their sites by verifying their current plugin version and ensuring the installation of the latest secure update (version 9.1.2). Given the severity of this vulnerability and its straightforward exploitation potential, any delay in implementing the security patch could expose websites to significant security risks. Security experts recommend implementing additional security measures, such as web application firewalls and regular security audits, to maintain robust website protection against similar vulnerabilities.
