Authentication Bypass in Really Simple Security Plugin (CVE-2024-10924)

Bar Refael

November 18, 2024

A critical authentication bypass vulnerability (CVE-2024-10924) has been discovered in the Really Simple Security plugin, including its Pro and Pro Multisite versions. This plugin, widely used on over 4 million WordPress sites, is designed to enhance security through features such as two-factor authentication (2FA).

The vulnerability, identified by István Márton of the Wordfence Threat Intelligence team, arises from an insecure implementation of the plugin’s two-factor authentication system via its REST API. With a CVSS score of 9.8, this flaw could allow unauthenticated attackers to bypass authentication mechanisms and gain access to arbitrary accounts, including administrator accounts, on vulnerable websites.

Vulnerability Details

  • Vulnerability Type: Authentication Bypass via REST API.
  • Root Cause:
    • Improper error handling in the plugin’s 2FA feature.
    • The function incorrectly processes WP_REST_Response errors, granting access even when authentication fails.
  • Impact: Unauthenticated attackers can:
    • Bypass 2FA.
    • Gain access to any user account, including admin accounts.
    • Take over entire websites.
  • Affected Versions:
    • Really Simple Security version 9.0.0 through versions prior to 9.1.2.
  • Fixed Version: 9.1.2.

Potential Impact

1. Complete Site Takeover

Attackers can gain administrator access, granting them control over website content, plugins, and sensitive data.

2. Data Breaches

Exposed administrator accounts could lead to the theft of:

  • User credentials.
  • Sensitive data stored within the website.

3. Operational Disruption

Compromised websites may be defaced, taken offline, or used as platforms for further attacks, such as phishing or malware distribution.

Mitigation Recommendations

  1. Immediate Actions
    • Update to the latest version of Really Simple Security (9.1.2) or later immediately.
    • Verify that all websites running the plugin have applied the update.
  2. Audit User Access
    • Review all admin and user accounts for unauthorized changes or suspicious activity.
    • Reset passwords for critical accounts, including admin accounts.
  3. Strengthen Authentication
    • Pair 2FA with other security measures, such as IP whitelisting and login rate limiting.
    • Avoid reliance on vulnerable versions of plugins for core security functions.
  4. Monitoring and Logging
    • Enable logging to monitor authentication attempts and REST API usage.
    • Regularly review logs for signs of exploitation, such as unusual login activity or REST API requests.
  5. Conduct Security Assessments
    • Use a Web Application Firewall (WAF) to block malicious traffic targeting REST API endpoints.
    • Conduct vulnerability scans to identify and address other potential weaknesses.

Technical Indicators of Exploitation (IoCs)

  • Unauthorized access logs for admin accounts.
  • Suspicious REST API calls to authentication endpoints.
  • Unusual activity from new or unknown IP addresses.

References and Additional Resources

  • Wordfence Advisory: CVE-2024-10924 Report
  • Plugin Release Notes: Really Simple Security v9.1.2
  • Best Practices: Hardening WordPress

Conclusion

CVE-2024-10924 is a critical vulnerability that poses an immediate and severe threat to millions of WordPress sites. Website administrators must act urgently to update the Really Simple Security plugin and review their websites for signs of compromise.

Organizations should also adopt layered security practices to mitigate risks from similar vulnerabilities in the future. Prompt action is essential to protect websites from potential exploitation and significant operational, financial, and reputational damages.