- WordFence finds “one of the most severe flaws” in its 12-year history
- The critical flaw resides in the Really Simple Security plugin
- The bug allows for automated, mass website takeover
Cybersecurity researchers have found a critical vulnerability affecting millions of WordPress websites which could grant attackers full control over the vulnerable website.
Security professionals from Wordfence reported discovering an “improper handling of user authentication” vulnerability in the Really Simple Security WordPress plugin, both free and paid versions.
This plugin simplifies the process of securing websites by enabling SSL with a single click, and automatically resolving mixed content issues. Furthermore, it offers features such as security headers, and HTTP Strict Transport Security (HSTS), which made it a super popular choice. It currently has more than five million active installations.
Biggest threat in more than a decade
The vulnerability is being tracked as CVE-2024-10924, and has a severity score of 9.8 (critical), and Wordfence describes it as “one of the more serious vulnerabilities that we have reported on in our 12 year history as a security provider for WordPress.”
It was discovered on November 6, and by November 14, all versions had patches lined up. Versions 9.0.0 to 9.1.1.1 of the “free”, “Pro”, and “Pro Multisite” releases were said to be vulnerable, with the first clean version being 9.1.2.
Currently, the WordPress plugins site shows 44.1% of installations being for version 9.1, with the remaining 65.9% falling on older versions.
Given the severity of the flaw, and the sheer number of potentially exploitable websites, researchers are urging everyone to patch up immediately and protect their digital assets.
The plugin’s vendor has coordinated a force update with WordPress, but website administrators should still double-check to see if their websites are running the newest version of the plugin, and Pro users with expired licenses should ensure they have their auto-updates disabled as well.