Critical Vulnerability Leaves Millions Of Sites Vulnerable To Takeover

Share post:

A severe authentication bypass vulnerability has been discovered in the WordPress plugin “Really Simple Security” (formerly *Really Simple SSL*), affecting both its free and Pro versions. With over four million active installations, the plugin is widely used for SSL configuration, two-factor authentication (2FA), and real-time vulnerability detection, making the flaw a significant security risk.

The vulnerability, identified as CVE-2024-10924, was disclosed by Wordfence, which called it one of the most critical in its 12-year history. The flaw allows remote attackers to gain full administrative access to websites, even enabling mass exploitation via automated scripts. The issue lies in the plugin’s handling of user authentication through its REST API. When the ‘login_nonce’ parameter is invalid, the system fails to reject the request and improperly authenticates users based on the ‘user_id’ alone, bypassing normal security checks.

The vulnerability affects versions 9.0.0 to 9.1.1.1 of the plugin. The developer has since released a patched version, 9.1.2, on November 12 for Pro users and November 14 for free users. WordPress.org has coordinated force updates for many sites, but administrators are advised to verify they are using the latest version to ensure protection. Users with expired Pro licenses must update manually, as auto-updates are disabled for their accounts.

Despite the patch, as of November 16, WordPress.org reported only 450,000 downloads of the fixed version, leaving approximately 3.5 million sites still vulnerable. Hosting providers and website administrators are urged to prioritize updates and scan for any signs of compromise. This incident highlights the risks of improper security implementations, even in tools designed to enhance site protection.

 

SUBSCRIBE NOW

Related articles

Russian State-Backed Cyber Attack Exploits Zero-Day Vulnerabilities in Windows and Firefox

Headline: A sophisticated cyberattack leveraging two chained zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows has been confirmed by...

Starbucks Forced to Pay Baristas Manually After Ransomware Attack

A ransomware attack on Blue Yonder, a third-party scheduling software provider, has disrupted Starbucks’ ability to manage employee...

Google Launches Free Cybersecurity Certificate for Entry-Level Jobs

Google has introduced a new Cybersecurity Professional Certificate, aimed at preparing students for entry-level roles in just six...

Brampton Landlord Falls Victim to E-Transfer Interception Scam

A Brampton landlord, Jai Walia, says he's in shock after two e-transfers totaling $4,500, meant for rent payments,...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways