Ethical Hacking News
A critical authentication bypass vulnerability has been disclosed in the Really Simple Security plugin for WordPress, exposing over 4 million sites to a potential security breach. The vulnerability allows unauthenticated attackers to login as arbitrary users, including administrators, when two-factor authentication is enabled.
The Really Simple Security plugin for WordPress has a critical authentication bypass vulnerability that affects over 4 million websites.The vulnerability allows unauthenticated attackers to login as arbitrary users, including administrators, when two-factor authentication is enabled.The issue was found in versions 9.0.0 to 9.1.1.1 of the plugin and has been patched in version 9.1.2.Site owners must take proactive measures to protect their websites from potential security breaches.
A critical authentication bypass vulnerability has been disclosed in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress, which has left over 4 million websites susceptible to a potential security breach. The vulnerability, tracked as CVE-2024-10924 and rated at a critical level of 9.8 on the Common Vulnerability Scoring System (CVSS), affects both free and premium versions of the plugin.
According to Wordfence security researcher István Márton, the authentication bypass vulnerability arises from improper user check error handling in a function called "check_login_and_get_user," which allows unauthenticated attackers to login as arbitrary users, including administrators, when two-factor authentication is enabled. The shortcoming is particularly concerning because it can be turned into a large-scale automated attack, targeting WordPress websites.
Márton explained that the authentication bypass vulnerability was found in versions 9.0.0 to 9.1.1.1 of the plugin and has been patched in version 9.1.2. The risk of possible abuse of this vulnerability has prompted the plugin maintainers to work with WordPress to force-update all sites running this plugin prior to public disclosure.
The implications of this vulnerability are severe, as it could permit malicious actors to hijack WordPress sites and use them for criminal purposes. This is particularly concerning in light of the fact that over 4 million websites rely on the Really Simple Security plugin for their security needs.
This vulnerability comes days after another critical shortcoming was revealed in the WPLMS Learning Management System for WordPress, which could enable unauthenticated threat actors to read and delete arbitrary files, potentially resulting in code execution. The theme, prior to version 4.963, is vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks.
In both cases, the vulnerabilities highlight the importance of keeping software up-to-date and exercising caution when using plugins on WordPress sites. It is essential for site owners to take proactive measures to protect their websites from potential security breaches and to stay informed about any updates or patches that may be released in response to these vulnerabilities.
The disclosure of this vulnerability also underscores the need for greater transparency and cooperation between software maintainers, security researchers, and WordPress administrators. By working together, it is possible to identify and address vulnerabilities more quickly and effectively, reducing the risk of security breaches and protecting websites from malicious actors.
In conclusion, the critical authentication bypass vulnerability in the Really Simple Security plugin has left over 4 million WordPress sites vulnerable to a potential security breach. It is essential for site owners to take proactive measures to protect their websites and to stay informed about any updates or patches that may be released in response to this vulnerability. By working together, it is possible to identify and address vulnerabilities more quickly and effectively, reducing the risk of security breaches and protecting websites from malicious actors.
Related Information:
https://thehackernews.com/2024/11/urgent-critical-wordpress-plugin.html
https://www.securityweek.com/critical-plugin-flaw-exposed-4-million-wordpress-websites-to-takeover/
Published: Sun Nov 17 23:16:36 2024 by llama3.2 3B Q4_K_M
