Critical Plugin Flaw Exposed 4 Million WordPress Websites to Takeover

🔐 A critical-severity vulnerability in the Really Simple Security plugin for WordPress exposed 4 million websites to complete takeover, warns WordPress security firm Defiant. The flaw tracked as CVE-2024–10924, boasts a CVSS score of 9.8 — signaling its severity. This flaw is an authentication bypass that enables unauthenticated attackers to log in as any user, including administrator accounts.

🔍 What Went Wrong? The issue arises from improper user verification handling in the plugin’s two-factor authentication (2FA) feature. When 2FA is enabled, a bug allows attackers to bypass the authentication process completely, giving them full administrative access without needing to verify user credentials.

⚠️ What Does This Mean for WordPress Sites? With over 4 million active installations, the vulnerability affects a significant number of WordPress sites using the Really Simple Security plugin, formerly known as Really Simple SSL. The plugin is designed to add security features, including 2FA, login protections, and vulnerability detection. However, the flaw left these sites wide open to full administrative access by threat actors.

💥 The Impact of the Exploit The vulnerability’s exploitation means that threat actors could potentially compromise vulnerable sites and abuse them for further attacks. High-privileged account access makes it easier to deploy malicious payloads, inject malware, or manipulate site data. If not patched quickly, this flaw could have far-reaching consequences for website owners, developers, and users alike.

🔄 What Was Done to Fix It? The vulnerability was reported on November 6, 2024, and patches were rolled out swiftly:

The WordPress team automatically pushed Simple Security plugin version 9.1.2 to users, resolving the bug and significantly improving security.

🛠️ What Should Site Owners Do? If you’re using the Really Simple Security plugin, ensure that you’re running version 9.1.2 or higher. The plugin’s vendor and the WordPress.org plugins team worked together to enforce this forced security update due to the critical nature of the vulnerability.

🚨 Don’t Wait, Update Now! Site administrators, take immediate action to verify your plugin version. The longer the vulnerability exists in the wild, the more risk your site faces from exploitation. Updating ensures your WordPress website remains protected from these dangerous attacks.

Stay Protected 🔐 At Wire Tor, we specialize in providing top-tier pentest services to secure your website and web applications. With cyber threats evolving every day, ensure your site remains safe by working with experts in ethical hacking and penetration testing.