Approximately 4 million WordPress websites rely on the “Really Simple Security” plugin. Unfortunately, this widely used tool contains a critical vulnerability that allows attackers to compromise websites. Specifically, the flaw can enable attackers to bypass authentication, potentially gaining unauthorized access to WordPress sites. This issue has been highlighted by the cybersecurity company Wordfence.
According to a blog post by Wordfence, the plugin was previously known as “Really Simple SSL” and is currently available in Free, Pro, and Pro Multisite versions. The vulnerability affects all plugin versions from 9.0.0 to 9.1.1.1.
Authentication Bypass Vulnerability Identified
The vulnerability, tracked as CVE-2024-10924 with a critical CVSS score of 9.8, resides in the plugin’s two-factor REST API function check_login_and_get_user
. Due to improper user-check error handling, attackers could log in as existing users—potentially even as administrators—without prior authentication. Notably, this exploit is only possible if two-factor authentication is enabled, which is disabled by default. Cybersecurity experts, however, consistently recommend enabling two-factor authentication as an additional security measure.
For those interested, the Wordfence blog post provides a more detailed technical analysis of the vulnerability.
Critical Patch Automatically Rolled Out
Given the severity of the issue, the Really Simple Security plugin developer collaborated with the WordPress plugins team to release an automatic forced security update. This patch, version 9.1.2, is being deployed across affected WordPress instances to address the vulnerability. While the majority of affected websites should now be running the updated version, Wordfence advises users to manually verify that the update has been applied. If necessary, administrators should perform the update manually. The rollout process began earlier this week.
A Broader Perspective on WordPress Plugin Security
While vulnerabilities in WordPress plugins are not uncommon, those affecting millions of websites are rare. Recently, another widely used plugin, LiteSpeed Cache—installed on over 6 million WordPress sites—was also found to have critical security flaws.
The Importance of Regular Updates and Maintenance
This incident underscores the importance of keeping plugins and WordPress installations up to date. Regular maintenance not only protects against vulnerabilities but also ensures optimal performance and stability for your website. If you find managing updates and security patches overwhelming, I offer professional WordPress maintenance services to ensure your site stays secure and functional.
Reach out today to safeguard your website and keep it running smoothly.