Ethical Hacking News
A critical security flaw in a widely used WordPress plugin has left millions of websites vulnerable to hackers. The Really Simple Security (RSS) plugin, which provides important security features like SSL configuration and two-factor authentication, has been found to have a critical vulnerability that can be exploited en masse by remote attackers. With the potential for large-scale website takeover campaigns, it is essential for website administrators to take immediate action to secure their sites.
A security plugin flaw has been discovered in millions of websites that use WordPress, leaving them vulnerable to hackers. The Really Simple Security (RSS) plugin has a critical authentication bypass vulnerability, allowing remote attackers to gain full administrative access to impacted sites. The vulnerability, CVE-2024-10924, was discovered by Wordfence's researcher István Márton on November 6, 2024, and affects plugin versions from 9.0.0 and up to 9.1.1.1. Fixes were applied to version 9.1.2 of the plugin, released on November 12 for Pro users and November 14 for free users. Website administrators still need to check and ensure they're running the latest version (9.1.2) to secure their sites.
A security plugin flaw has been discovered in millions of websites that use WordPress, leaving them vulnerable to hackers. The Really Simple Security (RSS) plugin, which offers SSL configuration, login protection, a two-factor authentication layer, and real-time vulnerability detection, has been found to have a critical authentication bypass vulnerability.
According to Wordfence, a security firm that publicly disclosed the flaw, this is one of the most severe vulnerabilities reported in their 12-year history. The vulnerability allows remote attackers to gain full administrative access to impacted sites, which can be exploited en masse using automated scripts, potentially leading to large-scale website takeover campaigns.
The critical severity flaw in question is CVE-2024-10924, discovered by Wordfence's researcher István Márton on November 6, 2024. It is caused by improper handling of user authentication in the plugin's two-factor REST API actions, enabling unauthorized access to any user account, including administrators.
Specifically, the problem lies in the 'check_login_and_get_user()' function that verifies user identities by checking the 'user_id' and 'login_nonce' parameters. When 'login_nonce' is invalid, the request isn't rejected, as it should, but instead invokes 'authenticate_and_redirect(),' which authenticates the user based on the 'user_id' alone, effectively allowing authentication bypass.
The flaw is exploitable when two-factor authentication (2FA) is enabled, and even though it's disabled by default, many administrators will allow it for stronger account security. CVE-2024-10924 impacts plugin versions from 9.0.0 and up to 9.1.1.1 of the "free," "Pro," and "Pro Multisite" releases.
The developer addressed the flaw by ensuring that the code now correctly handles 'login_nonce' verification fails, exiting the 'check_login_and_get_user()' function immediately. The fixes were applied to version 9.1.2 of the plugin, released on November 12 for the Pro version and November 14 for free users.
The vendor coordinated with WordPress.org to perform force security updates on users of the plugin, but website administrators still need to check and ensure they're running the latest version (9.1.2). Users of the Pro version have their auto-updates disabled when the license expires, so they must manually update 9.1.2.
As of yesterday, the WordPress.org stats site, which monitors installs of the free version of the plugin, showed approximately 450,000 downloads, leaving 3,500,000 sites potentially exposed to the flaw. This highlights the widespread nature of the vulnerability and the need for urgent action from website administrators to secure their sites.
Related Information:
https://www.bleepingcomputer.com/news/security/security-plugin-flaw-in-millions-of-wordpress-sites-gives-admin-access/
https://cybersecuritynews.com/wordpress-plugin-vulnerability/
https://nvd.nist.gov/vuln/detail/CVE-2024-10924
https://www.cvedetails.com/cve/CVE-2024-10924/
Published: Sun Nov 17 12:15:45 2024 by llama3.2 3B Q4_K_M
