WordPress Plugin Vulnerabilities

Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1 - Authentication Bypass

Description

The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).

Proof of Concept

Affects Plugins

Plugin icon
really-simple-ssl
Fixed in 9.1.2
Plugin icon
really-simple-ssl-pro
Fixed in 9.1.2
Plugin icon
really-simple-ssl-pro-multisite
Fixed in 9.1.2

References

CVE
CVE-2024-10924
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7d5d05ad-1a7a-43d2-bbbf-597e975446be

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
István Márton
Verified
Yes
WPVDB ID
8e1f4374-2e41-4c27-80d4-db172015c6be

Timeline

Publicly Published
2024-11-14 (about 1 year ago)
Added
2024-11-14 (about 1 year ago)
Last Updated
2024-11-14 (about 1 year ago)

Other

Published
Title
Published
2025-11-21
Title
Construction Light < 1.6.8 - Subscriber+ Arbitrary Plugin Activation
Published
2025-05-05
Title
BuddyBoss Platform Pro < 2.7.10 - Authentication Bypass via Apple OAuth provider
Published
2024-10-14
Title
WP 2FA with Telegram < 3.1 - Two-Factor Authentication Bypass
Published
2014-08-01
Title
Contact Form 7 <= 3.7.1 - CAPTCHA Bypass
Published
2023-11-23
Title
The Events Calendar < 6.2.8.1 - Unauthenticated Arbitrary Password Protected Post Read