The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the check_login_and_get_user function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the Two-Factor Authentication setting is enabled (disabled by default).
Weakness
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Really_simple_security | Really-simple-plugins | 9.0.0 (including) | 9.1.2 (excluding) |
Potential Mitigations
Related Attack Patterns
References
- https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L277
- https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L278
- https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L67
- https://plugins.trac.wordpress.org/changeset/3188431/really-simple-ssl
- https://www.wordfence.com/blog/2024/11/really-simple-security-vulnerability/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7d5d05ad-1a7a-43d2-bbbf-597e975446be?source=cve
- https://github.com/JoshuaProvoste/0-click-RCE-Exploit-for-CVE-2024-10924