We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

WordPress Plugin Flaw Puts Millions of Sites at Risk of Takeover

WordPress Plugin Flaw Puts Millions of Sites at Risk of Takeover
Anka Markovic Borak Published on 22nd November 2024 Writer and Quality Assessor

A severe vulnerability affecting the Really Simple Security WordPress plugin, previously Really Simple SSL, has put four million websites at risk of potential takeover. Discovered on November 6, 2024, by Wordfence researchers, the flaw allows attackers to bypass authentication and gain administrative access due to faulty user verification handling.

The vulnerability, identified as CVE-2024-10924 with a CVSS score of 9.8, originates from improper user authentication in the plugin's two-factor REST API actions. Specifically, the check_login_and_get_user() function fails to reject invalid 'login_nonce' parameters, instead triggering the authenticate_and_redirect() function, which permits access based on 'user_id' alone. This oversight leads to unauthorized logins when 2FA is enabled, an option that many site administrators activate for added security.

Wordfence called this issue one of the most serious in its 12-year history, emphasizing the risk of large-scale automated exploitation. Such attacks could enable threat actors to easily seize administrative control of popular sites and use them for further malicious activities.

Both free and Pro versions of Really Simple Security, including Pro Multisite, from versions 9.0.0 to 9.1.1.1, are impacted. The plugin is active on more than four million sites.

The developer released a fix by ensuring the check_login_and_get_user() function exits promptly when login_nonce fails. The patch was implemented in version 9.1.2, which became available on November 12 for the Pro version and November 14 for the free version.

WordPress.org collaborated with the plugin developer to push an automatic security update to version 9.1.2 for affected sites. Despite this, administrators are urged to manually verify their sites' plugin version to ensure it is up to date. Pro users with expired licenses must update manually as the auto-update will not apply.

A similar issue occurred at the beginning of 2024 when 150,000 websites were exposed to takeover risk due to to critical vulnerabilities in the POST SMTP Mailer WordPress plugin. Likewise, in March 2024, more than 3,300 WordPress websites were jeopardized through flaws in the Popup Builder plugin.

About the Author

Anka Markovic-Borak is a writer and quality assessor at vpnMentor, who leverages her expertise to write insightful articles on cybersecurity, driven by her passion for protecting online privacy. She also ensures articles written by others are reaching vpnMentor's high standards.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address