A critical vulnerability, CVE-2024-10924, has been identified in the WordPress plugin “Really Simple Security” (formerly “Really Simple SSL”), affecting both free and Pro versions. The plugin, which is installed on over four million websites, offers features like SSL setup, login protection, two-factor authentication (2FA), and real-time threat detection.

Disclosed by Wordfence on November 6, 2024, the flaw allows attackers to bypass authentication and gain full administrative access to affected sites. Wordfence describes it as one of the most severe vulnerabilities in its history. Exploiting the flaw is made easier by automated scripts, posing a significant risk of mass site takeovers.

The vulnerability stems from improper handling of 2FA authentication in the plugin’s REST API. Specifically, the ‘check_login_and_get_user()’ function fails to reject invalid ‘login_nonce’ parameters and instead authenticates users based solely on ‘user_id.’ This oversight enables unauthorized access to user accounts, including admin accounts. While 2FA is not enabled by default, many site admins activate it for enhanced security, unintentionally exposing their sites to this flaw.

The issue affects versions 9.0.0 to 9.1.1.1 of the plugin, including free, Pro, and Pro Multisite editions. Developers have addressed the problem by updating the code to terminate the ‘check_login_and_get_user()’ function when ‘login_nonce’ verification fails. The fix is included in version 9.1.2, released on November 12 for Pro users and November 14 for free users.

To mitigate risks, WordPress.org coordinated with the developer to enforce automatic security updates. However, Pro users with expired licenses must manually update to the latest version. As of November 17, around 450,000 downloads of the patched version had been recorded, leaving over 3.5 million sites potentially vulnerable. Site administrators are urged to verify they are running version 9.1.2 to secure their websites.