A severe authentication bypass vulnerability has been discovered in the WordPress plugin “Really Simple Security” (formerly *Really Simple SSL*), affecting both its free and Pro versions. With over four million active installations, the plugin is widely used for SSL configuration, two-factor authentication (2FA), and real-time vulnerability detection, making the flaw a significant security risk.
The vulnerability, identified as CVE-2024-10924, was disclosed by Wordfence, which called it one of the most critical in its 12-year history. The flaw allows remote attackers to gain full administrative access to websites, even enabling mass exploitation via automated scripts. The issue lies in the plugin’s handling of user authentication through its REST API. When the ‘login_nonce’ parameter is invalid, the system fails to reject the request and improperly authenticates users based on the ‘user_id’ alone, bypassing normal security checks.
The vulnerability affects versions 9.0.0 to 9.1.1.1 of the plugin. The developer has since released a patched version, 9.1.2, on November 12 for Pro users and November 14 for free users. WordPress.org has coordinated force updates for many sites, but administrators are advised to verify they are using the latest version to ensure protection. Users with expired Pro licenses must update manually, as auto-updates are disabled for their accounts.
Despite the patch, as of November 16, WordPress.org reported only 450,000 downloads of the fixed version, leaving approximately 3.5 million sites still vulnerable. Hosting providers and website administrators are urged to prioritize updates and scan for any signs of compromise. This incident highlights the risks of improper security implementations, even in tools designed to enhance site protection.