CVE-2024-10924

EPSS 93.91%
Veröffentlicht 15.11.2024 04:15:03
Zuletzt bearbeitet 23.01.2026 16:15:49
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1 - Authentication Bypass

The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).

Mögliche Gegenmaßnahme

Really Simple Security – Simple and Performant Security (formerly Really Simple SSL): Update to version 9.1.2, or a newer patched version

Really Simple Security Pro: Update to version 9.1.2, or a newer patched version

Really Simple Security Pro multisite: Update to version 9.1.2, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 11

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)

Version 9.0.0-9.1.1.1

SystemWordPress Plugin

≫

Produkt Really Simple Security Pro

Version 9.0.0-9.1.1.1

SystemWordPress Plugin

≫

Produkt Really Simple Security Pro multisite

Version 9.0.0-9.1.1.1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Really-simple-plugins ≫ Really Simple Security SwEdition- SwPlatformwordpress Version >= 9.0.0 < 9.1.2

Really-simple-plugins ≫ Really Simple Security SwEditionpro SwPlatformwordpress Version >= 9.0.0 < 9.1.2

Really-simple-plugins ≫ Really Simple Security SwEditionpro_multisite SwPlatformwordpress Version >= 9.0.0 < 9.1.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	93.91%	0.999

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security@wordfence.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-288 Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L277

Product

https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L278

Product

https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L67

Product

https://plugins.trac.wordpress.org/changeset/3188431/really-simple-ssl

Patch

https://www.wordfence.com/blog/2024/11/really-simple-security-vulnerability/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/7d5d05ad-1a7a-43d2-bbbf-597e975446be?source=cve

Third Party Advisory