Millions of WordPress sites could be at risk from "one of the most serious" plugin flaws ever found

Image credit: Shutterstock (Image credit: Shutterstock)

WordFence finds "one of the most severe flaws" in its 12-year history
The critical flaw resides in the Really Simple Security plugin
The bug allows for automated, mass website takeover

Cybersecurity researchers have found a critical vulnerability affecting millions of WordPress websites which could grant attackers full control over the vulnerable website.

Security professionals from Wordfence reported discovering an “improper handling of user authentication” vulnerability in the Really Simple Security WordPress plugin, both free and paid versions.

This plugin simplifies the process of securing websites by enabling SSL with a single click, and automatically resolving mixed content issues. Furthermore, it offers features such as security headers, and HTTP Strict Transport Security (HSTS), which made it a super popular choice. It currently has more than five million active installations.

Biggest threat in more than a decade

The vulnerability is being tracked as CVE-2024-10924, and has a severity score of 9.8 (critical), and Wordfence describes it as “one of the more serious vulnerabilities that we have reported on in our 12 year history as a security provider for WordPress.”

It was discovered on November 6, and by November 14, all versions had patches lined up. Versions 9.0.0 to 9.1.1.1 of the “free”, “Pro”, and “Pro Multisite” releases were said to be vulnerable, with the first clean version being 9.1.2.

Currently, the WordPress plugins site shows 44.1% of installations being for version 9.1, with the remaining 65.9% falling on older versions.

Given the severity of the flaw, and the sheer number of potentially exploitable websites, researchers are urging everyone to patch up immediately and protect their digital assets.

The plugin’s vendor has coordinated a force update with WordPress, but website administrators should still double-check to see if their websites are running the newest version of the plugin, and Pro users with expired licenses should ensure they have their auto-updates disabled as well.

North Korean hackers are targeting Apple users with new macOS malware
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.