The listings featured on this site are from companies from which this site receives compensation and some are co-owned by our parent company. This influence: Rank and manner in which listings are presented.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

WordPress Plugin Flaw Puts Millions of Sites at Risk of Takeover

WordPress Plugin Flaw Puts Millions of Sites at Risk of Takeover
Author Image Anka Markovic Borak
Anka Markovic Borak Published on 22nd November 2024 Cybersecurity Researcher

A severe vulnerability affecting the Really Simple Security WordPress plugin, previously Really Simple SSL, has put four million websites at risk of potential takeover. Discovered on November 6, 2024, by Wordfence researchers, the flaw allows attackers to bypass authentication and gain administrative access due to faulty user verification handling.

The vulnerability, identified as CVE-2024-10924 with a CVSS score of 9.8, originates from improper user authentication in the plugin's two-factor REST API actions. Specifically, the check_login_and_get_user() function fails to reject invalid 'login_nonce' parameters, instead triggering the authenticate_and_redirect() function, which permits access based on 'user_id' alone. This oversight leads to unauthorized logins when 2FA is enabled, an option that many site administrators activate for added security.

Wordfence called this issue one of the most serious in its 12-year history, emphasizing the risk of large-scale automated exploitation. Such attacks could enable threat actors to easily seize administrative control of popular sites and use them for further malicious activities.

Both free and Pro versions of Really Simple Security, including Pro Multisite, from versions 9.0.0 to 9.1.1.1, are impacted. The plugin is active on more than four million sites.

The developer released a fix by ensuring the check_login_and_get_user() function exits promptly when login_nonce fails. The patch was implemented in version 9.1.2, which became available on November 12 for the Pro version and November 14 for the free version.

WordPress.org collaborated with the plugin developer to push an automatic security update to version 9.1.2 for affected sites. Despite this, administrators are urged to manually verify their sites' plugin version to ensure it is up to date. Pro users with expired licenses must update manually as the auto-update will not apply.

A similar issue occurred at the beginning of 2024 when 150,000 websites were exposed to takeover risk due to to critical vulnerabilities in the POST SMTP Mailer WordPress plugin. Likewise, in March 2024, more than 3,300 WordPress websites were jeopardized through flaws in the Popup Builder plugin.

About the Author

  • Author Image Anka Markovic Borak
  • Anka Markovic Borak Cybersecurity Researcher

Anka is a tech writer with a keen interest in cybersecurity and online privacy. She thinks it's really important to educate people on how to avoid misuse of their data.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address