Today's cybersecurity headlines are brought to you by ThreatPerspective

A Critical Vulnerability Exposes 4 Million WordPress Sites to Remote Attack

Critical Really Simple Security plugin flaw impacts 4M+ WordPress sites, allowing attackers to remotely gain full admin access. This is one of the most critical WordPress vulnerabilities ever discovered, with a CVSS score of 9.8. The vulnerability affects Really Simple Security, formerly known as Really Simple SSL, installed on over 4 million websites, and allows an attacker to bypass authentication and gain access to arbitrary accounts on sites running the plugin. Security updates were released on November 12 for Pro users and November 14 for free users. WordPress.org coordinated force updates for most users, but admins should verify they are on the latest version.



There is no specific topic or question provided in the text snippet you've shared. The text appears to be a compilation of cybersecurity news and alerts, including information on various vulnerabilities, malware, and attacks, as well as updates on patches and fixes from companies like Microsoft, Adobe, and others.If you're looking for information on a specific topic or issue related to cybersecurity, I'd be happy to try and help you find relevant information or answer questions to the best of my ability. Please feel free to provide more context or clarify what you're looking for.


Critical Really Simple Security plugin flaw impacts 4M+ WordPress sites


Pierluigi Paganini
November 18, 2024



A Really Simple Security plugin flaw affects 4M+ sites, allowing attackers full admin access. It’s one of the most critical WordPress vulnerabilities ever.
Wordfence researchers warn of a vulnerability, tracked as CVE-2024-10924 (CVSS Score of¬†9.8), in the Really Simple Security plugin that affects 4M+ sites. The Really Simple Security plugin, formerly Really Simple SSL, is a popular WordPress tool that enhances website security with features like login protection, vulnerability detection, and two-factor authentication. Wordfence’s researcher Istv√°n M√°rton discovered the vulnerability on November 6, 2024.
According to the researchers, this is one of the most serious vulnerabilities they have discovered in their 12-year activity. This vulnerability affects Really Simple Security, formerly known as Really Simple SSL, installed on over 4 million websites, and allows an attacker to remotely gain full administrative access to a site running the plugin.
The vulnerability is an authentication bypass vulnerability in the Really Simple Security plugin, and in the Really Simple Security Pro and Pro Multisite plugins. An attacker could exploit the vulnerability to remotely gain access to any account on the site, including the administrator account, when the two-factor authentication feature is enabled.
The Really Simple Security plugin, formerly Really Simple SSL, introduced two-factor authentication in its latest update, but its implementation is not secure.
The flaw is due to improper user check error handling in the two-factor REST API actions with the ‘check_login_and_get_user’ function. 
The researchers warned that the vulnerability is scriptable allowing attackers to automate its exploitation in a large-scale automated attack.
“The¬†check_login_and_get_user()¬†function verifies the user using the¬†user_id¬†and¬†login_nonce¬†parameters.
The most significant problem and vulnerability is caused by the fact that the function returns a¬†WP_REST_Response¬†error in case of a failure, but this is not handled within the function. This means that even in the case of an invalid nonce, the function processing continues and invokes¬†authenticate_and_redirect(), which authenticates the user based on the user id passed in the request, even when that user‚Äôs identity hasn‚Äôt been verified.” reads the advisory.
“Ultimately, this makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plugin. As always, authentication bypass vulnerabilities and resulting access to high privileged user accounts, make it easy for threat actors to completely compromise a vulnerable WordPress site and further infect it.”
This vulnerability only impacts WordPress sites who have enabled “Two-Factor Authentication” in the plugin settings.
CVE-2024-10924 impacts plugin versions from 9.0.0 and up to 9.1.1.1 of the “free,” “Pro,” and “Pro Multisite” releases. The flaw has been fixed in version 9.1.2. Security updates were released on November 12 (Pro version) and November 14 (free users). WordPress.org coordinated force updates for most users, but admins should verify they are on the latest version.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Really Simple Security plugin) 



facebook
linkedin
twitter

facebook
linkedin
twitter



Hacking
hacking news
information security news
IT Information Security
Pierluigi Paganini
Really Simple Security plugin
Security Affairs
Security News
Wordpress




you might also like





Pierluigi Paganini
November 17, 2024

SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 20
Read more












Pierluigi Paganini
November 17, 2024

Security Affairs newsletter Round 498 by Pierluigi Paganini – INTERNATIONAL EDITION
Read more





leave a comment





































newsletter

Subscribe to my email list and stay up-to-date!



















recent articles





Critical Really Simple Security plugin flaw impacts 4M+ WordPress sites
Hacking / November 18, 2024







SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 20
Malware / November 17, 2024







A botnet exploits e GeoVision zero-day to compromise EoL devices
Malware / November 17, 2024







Palo Alto Networks confirmed active exploitation of recently disclosed zero-day
Hacking / November 16, 2024)







Glove Stealer bypasses Chrome’s App-Bound Encryption to steal cookies
Malware / November 16, 2024






















To contact me write an email to:
Pierluigi Paganini :
[email protected]

LEARN MORE




QUICK LINKS
Home
Cyber Crime
Cyber warfare
APT
Data Breach
Deep Web
Digital ID
Hacking
Hacktivism
Intelligence
Internet of Things
Laws and regulations
Malware
Mobile
Reports
Security
Social Networks
Terrorism
ICS-SCADA
POLICIES
Contact me













Copyright@securityaffairs 2024




)







We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.Cookie SettingsAccept AllManage consent




Close






Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.







Necessary


Necessary

Always Enabled




Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.






Non-necessary


Non-necessary





Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.











SAVE & ACCEPT

| 
Researchers found a zero-click Facebook account takeover
 | 
New SPIKEDWINE APT group is targeting officials in Europe
 | 
Is the LockBit gang resuming its operation?
 | 
Lazarus APT exploited zero-day in Windows driver to gain kernel privileges
 | 
Pharmaceutical giant Cencora discloses a data breach
 | 
Unmasking 2024's Email Security Landscape
 | 
FBI, CISA, HHS warn of targeted ALPHV/Blackcat ransomware attacks against the healthcare sector
 | 
Russia-linked APT28 compromised Ubiquiti EdgeRouters to facilitate cyber operations
 | 
Black Basta and Bl00dy ransomware gangs exploit recent ConnectWise ScreenConnect bugs
 | 
XSS flaw in LiteSpeed Cache plugin exposes millions of WordPress sites at risk
 | 
Security Affairs newsletter Round 460 by Pierluigi Paganini – INTERNATIONAL EDITION
 | 
US GOV OFFERS A REWARD OF UP TO $15M FOR INFO ON LOCKBIT GANG MEMBERS AND AFFILIATES
 | 
New Redis miner Migo uses novel system weakening techniques
 | 
Critical flaw found in deprecated VMware EAP. Uninstall it immediately
 | 
Microsoft Exchange flaw CVE-2024-21410 could impact up to 97,000 servers
 | 
ConnectWise fixed critical flaws in ScreenConnect remote access tool
 | 
More details about Operation Cronos that disrupted Lockbit operation
 | 
Cactus ransomware gang claims the theft of 1.5TB of data from Energy management and industrial automation firm Schneider Electric
 | 
Operation Cronos: law enforcement disrupted the LockBit operation
 | 
A Ukrainian Raccoon Infostealer operator is awaiting trial in the US
 | 
Russia-linked APT TAG-70 targets European government and military mail servers exploiting Roundcube XSS
 | 
How BRICS Got "Rug Pulled" – Cryptocurrency Counterfeiting is on the Rise
 | 
SolarWinds addressed critical RCEs in Access Rights Manager (ARM)
 | 
ESET fixed high-severity local privilege escalation bug in Windows products
 | 
Security Affairs newsletter Round 459 by Pierluigi Paganini – INTERNATIONAL EDITION
 | 
Ukrainian national faces up to 20 years in prison for his role in Zeus, IcedID malware schemes
 | 
CISA: Cisco ASA/FTD bug CVE-2020-3259 exploited in ransomware attacks
 | 
CISA adds Microsoft Exchange and Cisco ASA and FTD bugs to its Known Exploited Vulnerabilities catalog
 | 
US gov offers a reward of up to $10M for info on ALPHV/Blackcat gang leaders
 | 
U.S. CISA: hackers breached a state government organization
 | 
Russia-linked Turla APT uses new TinyTurla-NG backdoor to spy on Polish NGOs
 | 
US Gov dismantled the Moobot botnet controlled by Russia-linked APT28
 | 
A cyberattack halted operations at Varta production plants
 | 
North Korea-linked actors breached the emails of a Presidential Office member
 | 
CISA adds Microsoft Windows bugs to its Known Exploited Vulnerabilities catalog
 | 
Nation-state actors are using AI services and LLMs for cyberattacks
 | 
Abusing the Ubuntu 'command-not-found' utility to install malicious packages
 | 
Zoom fixed critical flaw CVE-2024-24691 in Windows software
 | 
Adobe Patch Tuesday fixed critical vulnerabilities in Magento, Acrobat and Reader
 | 
Microsoft Patch Tuesday for February 2024 fixed 2 actively exploited 0-days
 | 
A ransomware attack took 100 Romanian hospitals down
 | 
Bank of America customer data compromised after a third-party services provider data breach
 | 
Ransomfeed - Third Quarter Report 2023 is out!
 | 
Global Malicious Activity Targeting Elections is Skyrocketing
 | 
Researchers released a free decryption tool for the Rhysida Ransomware
 | 
Residential Proxies vs. Datacenter Proxies: Choosing the Right Option
 | 
CISA adds Roundcube Webmail Persistent XSS bug to its Known Exploited Vulnerabilities catalog
 | 
Canada Gov plans to ban the Flipper Zero to curb car thefts
 | 
9 Possible Ways Hackers Can Use Public Wi-Fi to Steal Your Sensitive Data
 | 
US Feds arrested two men involved in the Warzone RAT operation
 | 
Raspberry Robin spotted using two new 1-day LPE exploits
 |



Related Information: