Authentication Bypass Vulnerability in Two-Factor Authentication

CVE-2024-10924

9.8CRITICAL

Key Information

Vendor: Really Simple Plugins
Status: Really Simple Security Pro Multisite; Really Simple Security – Simple And Performant Security (formerly Really Simple Ssl); Really Simple Security Pro
Vendor: CVE Published:; 15 November 2024

Badges

😄 Trended👾 Exploit Exists🔴 Public PoC📰 News Worthy

Summary

The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are affected by a critical authentication bypass vulnerability, tracked as CVE-2024-10924, with a high CVSS score of 9.8. This vulnerability can allow unauthenticated attackers to log in as any existing user on the site, including administrators, when the "Two-Factor Authentication" setting is enabled. It affects over 4 million WordPress sites. The vulnerability was patched in version 9.1.2, released after responsible disclosure, but there is a risk of exploitation due to the large number of affected sites. Exploitation could lead to hijacking of WordPress sites and further use for criminal purposes. There is no mention of known exploits by ransomware groups at this time.

Affected Version(s)

Really Simple Security Pro multisite <= 9.1.1.1

Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) <= 9.1.1.1

Really Simple Security Pro <= 9.1.1.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10924
Created by FoKiiin

wordpress-really-simple-security-authn-bypass-vulnerable-application
Created by m3ssap0

CVE-2024-10924
Created by RandomRobbieBF