9.8
CVE-2024-10924
- EPSS 81.72%
- Veröffentlicht 15.11.2024 04:15:03
- Zuletzt bearbeitet 23.01.2026 16:15:49
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginReally Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1 - Authentication Bypass
Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1 - Authentication Bypass
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
Mögliche Gegenmaßnahme
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL): Update to version 9.1.2, or a newer patched version
Really Simple Security Pro: Update to version 9.1.2, or a newer patched version
Really Simple Security Pro multisite: Update to version 9.1.2, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Really-simple-plugins ≫ Really Simple Security SwEdition- SwPlatformwordpress Version >= 9.0.0 < 9.1.2
Really-simple-plugins ≫ Really Simple Security SwEditionpro SwPlatformwordpress Version >= 9.0.0 < 9.1.2
Really-simple-plugins ≫ Really Simple Security SwEditionpro_multisite SwPlatformwordpress Version >= 9.0.0 < 9.1.2
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)
Version
9.0.0-9.1.1.1
SystemWordPress Plugin
≫
Produkt
Really Simple Security Pro
Version
9.0.0-9.1.1.1
SystemWordPress Plugin
≫
Produkt
Really Simple Security Pro multisite
Version
9.0.0-9.1.1.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 81.72% | 0.996 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security@wordfence.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-288 Authentication Bypass Using an Alternate Path or Channel
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
CWE-306 Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L277
https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L278
https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L67
https://plugins.trac.wordpress.org/changeset/3188431/really-simple-ssl
https://www.wordfence.com/blog/2024/11/really-simple-security-vulnerability/
https://www.wordfence.com/threat-intel/vulnerabilities/id/7d5d05ad-1a7a-43d2-bbbf-597e975446be?source=cve
https://github.com/JoshuaProvoste/0-click-RCE-Exploit-for-CVE-2024-10924
https://www.wordfence.com/threat-intel/vulnerabilities/id/7d5d05ad-1a7a-43d2-bbbf-597e975446be