Millions of WordPress sites could be at risk from "one of the most serious" plugin flaws ever found
Critical flaw in Really Simple Security puts millions of WordPress websites at risk
- WordFence finds "one of the most severe flaws" in its 12-year history
- The critical flaw resides in the Really Simple Security plugin
- The bug allows for automated, mass website takeover
Cybersecurity researchers have found a critical vulnerability affecting millions of WordPress websites which could grant attackers full control over the vulnerable website.
Security professionals from Wordfence reported discovering an “improper handling of user authentication” vulnerability in the Really Simple Security WordPress plugin, both free and paid versions.
This plugin simplifies the process of securing websites by enabling SSL with a single click, and automatically resolving mixed content issues. Furthermore, it offers features such as security headers, and HTTP Strict Transport Security (HSTS), which made it a super popular choice. It currently has more than five million active installations.
Biggest threat in more than a decade
The vulnerability is being tracked as CVE-2024-10924, and has a severity score of 9.8 (critical), and Wordfence describes it as “one of the more serious vulnerabilities that we have reported on in our 12 year history as a security provider for WordPress.”
It was discovered on November 6, and by November 14, all versions had patches lined up. Versions 9.0.0 to 9.1.1.1 of the “free”, “Pro”, and “Pro Multisite” releases were said to be vulnerable, with the first clean version being 9.1.2.
Currently, the WordPress plugins site shows 44.1% of installations being for version 9.1, with the remaining 65.9% falling on older versions.
Given the severity of the flaw, and the sheer number of potentially exploitable websites, researchers are urging everyone to patch up immediately and protect their digital assets.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The plugin’s vendor has coordinated a force update with WordPress, but website administrators should still double-check to see if their websites are running the newest version of the plugin, and Pro users with expired licenses should ensure they have their auto-updates disabled as well.
You might also like
- North Korean hackers are targeting Apple users with new macOS malware
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.