A critical WordPress plugin vulnerability has exposed over 4 million websites

Wordfence security researcher disclosed important information

According to Wordfence security researcher István Márton, a critical authentication bypass vulnerability was exposed in the WordPress Really Simple Security (formerly Really Simple SSL) plugin, and if this vulnerability is exploited, attackers can remotely obtain full management permissions of vulnerable websites.

This vulnerability, tracked as CVE-2024-10924 (CVSS score: 9.8), affects both free and paid versions of the plugin. The software is installed on over 4 million WordPress websites. This vulnerability is scriptable, meaning it can be converted into large-scale automated attacks targeting WordPress websites.

The cause was an incorrect user check error handling

This vulnerability was disclosed on November 6, 2024, and was patched in the 9.1.2 version released a week later. The risk of misuse may have prompted the plugin maintainers to collaborate with WordPress and force update all websites running this plugin before public disclosure.

According to Wordfence, this authentication bypass vulnerability exists in versions 9.0.0 to 9.1.1.1, due to incorrect user check error handling in a function named 'check_login_and_get_user', and the addition of a two-factor authentication feature was not implemented securely, allowing unauthenticated attackers to gain access to any user account, including administrator accounts, through a simple request when two-factor authentication is enabled.

If exploited, all website management permissions will be lost

Successfully exploiting this vulnerability could have severe consequences, as it may allow malicious actors to hijack WordPress websites and further use them for criminal purposes.

This information was released by Wordfence a few days after revealing another critical flaw in the WPLMS Learning Management System (WordPress LMS, CVE-2024-10470, CVSS score: 9.8), which may allow unauthenticated threat actors to read and delete arbitrary files.

Specifically, versions prior to 4.963 due to insufficient file path validation and permission checks, allowing unauthenticated attackers to read and delete any arbitrary file on the server, including the website's wp-config.php file. Deleting the wp-config.php file will cause the website to enter the setup state, allowing attackers to take over the website by connecting it to their controlled database.

Original Source:https://thehackernews.com/2024/11/urgent-critical-wordpress-plugin.html