Four Million WordPress Sites at Risk Due to Critical Flaw in Really Simple Security Plugin

Wordfence disclosed a critical authentication bypass in the Really Simple Security (formerly Really Simple SSL) WordPress plugin that allowed unauthenticated attackers to bypass two-factor authentication and access any account, including administrators. The flaw was patched in version 9.1.2 and Wordfence released firewall rules; site owners should verify their plugin updated. #ReallySimpleSecurity #Wordfence #WordPress

Keypoints

A critical authentication bypass affecting Really Simple Security (Free, Pro, Pro Multisite) was discovered, impacting over 4 million WordPress sites.
The vulnerability (affecting versions 9.0.0 through 9.1.1.1) lets unauthenticated attackers bypass Two-Factor Authentication and log in as any user, including administrators.
Wordfence authored and deployed a firewall rule for Premium/Care/Response customers on Nov 6, 2024; Free users receive the same protection on Dec 6, 2024.
The issue stems from improper error handling in the plugin’s two-factor REST API (the check_login_and_get_user function returns an unhandled WP_REST_Response on failure).
Vendor patched Pro plugins on Nov 12 and the Free plugin on Nov 14, 2024, and coordinated forced updates via WordPress.org to push version 9.1.2.
Pro versions and sites without valid licenses (which may not auto-update) are also affected; site owners and hosts are urged to verify updates and scan for unpatched instances.

MITRE Techniques

No MITRE ATT&CK techniques were explicitly mentioned in the article.

Indicators of Compromise

[Domain] plugin and advisory domains – wordpress.org/plugins/really-simple-ssl, really-simple-ssl.com, wordfence.com
[Plugin Version] affected and patched versions – affected 9.0.0–9.1.1.1, patched 9.1.2
[Code/Function names] code references useful for analysis – check_login_and_get_user, skip_onboarding, Rsssl_Two_Factor_On_Board_Api

————
The Really Simple Security plugin (formerly Really Simple SSL) contained a critical authentication bypass in its two-factor REST API that could be triggered by unauthenticated requests. Because the plugin’s check_login_and_get_user function returned an unhandled WP_REST_Response on verification failure, processing continued and authenticate_and_redirect could log in as the user ID supplied in the request. The vendor released fixes (Pro: Nov 12, Free: Nov 14, 2024), Wordfence pushed firewall rules to Premium customers on Nov 6 (Free on Dec 6), and WordPress.org initiated forced updates to version 9.1.2; site owners and hosts should immediately confirm their sites run 9.1.2 and scan for unpatched installations.
————

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print