CVE-2024-10924: vulnerability on around four million sites

Bad news for companies using WordPress sites with a two-factor authentication mechanism implemented via the Really Simple Security plugin. The recently discovered CVE-2024-10924 vulnerability in this plugin allows a complete stranger to authenticate as a legitimate user. It’s therefore recommended to update the plugin as soon as possible.

What’s the danger of the CVE-2024-10924 vulnerability

As ironic as it may sound, the CVE-2024-10924 vulnerability in the plugin called Really Simple Security has a CVSS rating of 9.8 and is classified as critical. In essence, it exists thanks to an error in the authentication mechanism, due to which an attacker can log on to the site as any of the registered users and with their privileges (even administrator rights). As a result, this can lead to the takeover of the website.

Proof of concept that shows exploitation of this vulnerability can already be found on GitHub. Moreover, apparently its exploitation can be automated. The researchers from Wordfence who discovered CVE-2024-10924 have called it the most dangerous vulnerability they’ve seen in 12 years of working in the field of WordPress security.

Who’s vulnerable to CVE-2024-10924?

Users of both paid and free versions of the Really Simple Security plugin starting from build 9.0.0 and ending with 9.1.1.1 are vulnerable. However, to exploit CVE-2024-10924, the plugin must have the two-factor authentication function enabled (it’s disabled by default, but many users choose this plugin specifically for this feature).

Thanks to the existence of a free version of the plugin, it’s extremely popular; researchers say that it’s installed on around four million sites.

How to stay safe

First of all, it’s recommended to update the plugin to version 9.1.2. If for some reason this isn’t possible, it’s worth disabling the two-factor authentication verification – but this is obviously not ideal since it weakens the security of your site. WordPress.org has enabled an automatic plugin update mechanism, but administrators are advised to go to the control panel and make sure that the plugin has been updated.

The plugin developer’s website also has a section with tips on updating it if the automatic update doesn’t work.

In addition, even if you promptly updated the plugin and at first glance didn’t notice any malicious activity on the site, it makes sense to carefully study the list of users with administrator rights – just to make sure there are no new unfamiliar entries there.