Friday, February 7, 2025
HomeCVE/vulnerability4M+ WordPress Websites to Attacks, Following Plugin Vulnerability

4M+ WordPress Websites to Attacks, Following Plugin Vulnerability

Published on

SIEM as a Service

Follow Us on Google News

A critical vulnerability has been discovered in the popular “Really Simple Security” WordPress plugin, formerly known as “Really Simple SSL,” putting over 4 million websites at risk.

The flaw, identified as CVE-2024-10924, exposes websites using the plugin to potential remote attacks, enabling threat actors to gain unauthorized administrative access.

Vulnerability Overview

The vulnerability affects versions 9.0.0 through 9.1.1.1 of the Simple Security plugin, including the Pro and Pro Multisite versions.

Exploiting an authentication bypass flaw, attackers can remotely access any user account, including administrator accounts, if the “Two-Factor Authentication” feature is enabled.

Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)

The flaw stems from improper handling of user verification in the plugin’s two-factor REST API functions.

This security issue is particularly concerning due to its high CVSS score of 9.8, classifying it as “Critical.”

The vulnerability allows attackers to gain access to privileged accounts and take full control of affected websites.

A large-scale automated attack exploiting this flaw could potentially target millions of WordPress sites globally.

Vulnerability
Vulnerability

Upon identifying the issue on November 6, 2024, Wordfence Threat Intelligence began working closely with the plugin’s vendor to address the vulnerability.

The developer responded promptly, and a patched version of the plugin (9.1.2) was released on November 14, 2024.

The WordPress.org plugins team also initiated a forced update to ensure that most sites using the plugin are automatically updated to the secure version.

However, site owners are strongly advised to manually verify that their plugins are updated to version 9.1.2 or higher. Websites running older versions remain vulnerable to potential attacks.

With over 4 million websites still relying on this crucial plugin, site administrators are urged to check their WordPress installations and apply the update immediately.

Additionally, users of the Pro and Pro Multisite versions without auto-update enabled should manually install the latest patch to secure their sites.

Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.



Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Dell Update Manager Plugin Flaw Exposes Sensitive Data

Dell Technologies has issued a security advisory (DSA-2025-047) to address a vulnerability in the Dell Update...

DeepSeek iOS App Leaks Data to ByteDance Servers Without Encryption

DeepSeek iOS app—a highly popular AI assistant recently crowned as the top iOS app...

Critical Flaws in HPE Aruba ClearPass Expose Systems to Arbitrary Code Execution

Hewlett Packard Enterprise (HPE) has issued a high-priority security bulletin addressing multiple vulnerabilities in...

Splunk Introduces “DECEIVE” an AI-Powered Honeypot to Track Cyber Threats

Splunk has unveiled DECEIVE (DECeption with Evaluative Integrated Validation Engine), an innovative, AI-augmented honeypot that mimics...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Dell Update Manager Plugin Flaw Exposes Sensitive Data

Dell Technologies has issued a security advisory (DSA-2025-047) to address a vulnerability in the Dell Update...

DeepSeek iOS App Leaks Data to ByteDance Servers Without Encryption

DeepSeek iOS app—a highly popular AI assistant recently crowned as the top iOS app...

Critical Flaws in HPE Aruba ClearPass Expose Systems to Arbitrary Code Execution

Hewlett Packard Enterprise (HPE) has issued a high-priority security bulletin addressing multiple vulnerabilities in...