Hackers can log into millions of WordPress websites thanks to critical bug

A critical bug in Really Simple Security allows attackers to log in without a password when 2FA is enabled. The vulnerability is so easy to exploit that patching should be the absolute top priority.

The popular plug-in Really Simple Security is susceptible to an extremely critical bug. That’s what security specialist Wordfence discovered. Wordfence has been providing security for WordPress for 12 years, and calls the vulnerability the most serious one that has come up in all that time. About four million WordPress sites rely on Really Simple Security.

The impact of the bug is significant. Due to a faulty line of code in the 2FA implementation, in certain cases the plug-in only checks if a user exists. When the ‘login_nonce’ parameter returns as invalid, the plug-in starts authenticating a user anyway, based only on the ID.

Ironically, the bug occurs when users of the plug-in have implemented 2FA and thus they have correctly implemented best practices for increased security. The bug in question goes by the name CVE-2024-10924 and affects versions 9.0.0 to 9.1.1.1 of both the Free, Pro and Pro Multisite editions.

Automatic updates

Version 9.1.2 of the Really Simple Security plug-in no longer contains the bug. That update came out at Nov. 12 for free users and Nov. 14 for Pro edition users. The developers worked with WordPress to forcefully roll out the update, and in many cases they will have succeeded, but certainly not in everyone.

read also

Hackers can log into millions of WordPress websites thanks to critical bug

It is essential to immediately check whether version 9.1.2 of Really Simple Security is running. After all, the bug is easy to exploit by criminals, who can even automate the process. Wordfence Premium, Care and Response have been given a firewall rule that stops abuse. That is available to paying users. Free Wordfence customers will also get the firewall rule on Dec. 6, but it is not a good idea to wait for it.

Is your website secured via Really Simple Security (formerly Really Simple SSL)? Then check immediately if version 9.1.2 is already installed.

newsletter

Subscribe to ITdaily for free!

  • This field is for validation purposes and should be left unchanged.