November 17, 2024 at 11:57PM
A critical authentication bypass vulnerability (CVE-2024-10924) in the Really Simple Security plugin for WordPress could allow attackers to gain full admin access. Affecting over 4 million sites, the vulnerability has been patched in version 9.1.2 after responsible disclosure. Similar vulnerabilities were also found in WPLMS Learning Management System.
### Meeting Takeaways – November 18, 2024
**Key Vulnerability Disclosed:**
– A critical authentication bypass vulnerability (CVE-2024-10924, CVSS score: 9.8) has been identified in the Really Simple Security plugin for WordPress, affecting over 4 million sites.
– Exploitation can grant attackers full administrative access to vulnerable WordPress sites, potentially enabling site hijacking for malicious purposes.
**Details of the Vulnerability:**
– The vulnerability affects versions 9.0.0 to 9.1.1.1 of the plugin.
– It arises from improper error handling in the “check_login_and_get_user” function, allowing unauthenticated attackers to log in as any user, including administrators, especially when two-factor authentication is enabled.
**Mitigation Measures:**
– The vulnerability was responsibly disclosed on November 6, 2024, and a patch (version 9.1.2) was released on November 13, 2024.
– Plugin maintainers are collaborating with WordPress to enforce updates on all affected sites before public disclosure.
**Additional Vulnerabilities Highlighted:**
– Wordfence also reported another critical vulnerability (CVE-2024-10470, CVSS score: 9.8) in the WPLMS Learning Management System, allowing unauthenticated users to read and delete arbitrary server files, which could lead to complete site takeover.
**Security Implications:**
– The vulnerabilities pose serious risks, allowing for potential exploitation that could compromise site integrity and user data security.
**Recommendation:**
– It is crucial for users of the affected plugins to update to the latest versions immediately to mitigate risks associated with these vulnerabilities.
**Conclusion:**
– The need for vigilance in monitoring plugin security and timely updates is essential to safeguard WordPress sites from potential threats.
For further updates and insights, follow us on Twitter and LinkedIn.