CVE-2024-10924
published 2024-11-15CVE-2024-10924: The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
81.72%
99.6th percentile
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| really-simple-plugins | really_simple_security | >= 9.0.0 < 9.1.2 | 9.1.2 |
| really_simple_plugins | really_simple_security_pro | 9.0.0 – 9.1.1.1 | — |
| really_simple_plugins | really_simple_security_pro_multisite | 9.0.0 – 9.1.1.1 | — |
| rogierlankhorst | really_simple_security_simple_and_performant_security | 9.0.0 – 9.1.1.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
id: CVE-2024-10924 (Nuclei template — POST to /?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding with user_id and invalid login_nonce, response contains '"redirect_to":"\/wp-admin\/"')
- →Monitor for unauthenticated POST requests to the REST API endpoint '?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding' — this is the specific endpoint abused to trigger the authentication bypass. ↗
- →Alert on HTTP 200 responses to the skip_onboarding endpoint that set authentication cookies (Set-Cookie header present, does not contain '=deleted;') and include 'redirect_to' in the response body — this indicates a successful bypass. ↗
- →The exploit payload sends a JSON body with 'user_id' (typically 1 for admin) and a random/invalid 'login_nonce' — detect POST bodies to the REST endpoint containing both 'user_id' and 'login_nonce' fields from unauthenticated sessions. ↗
- →Scan WordPress installations for the presence of the vulnerable plugin path '/wp-content/plugins/really-simple-ssl' running versions 9.0.0 through 9.1.1.1. ↗
- →The vulnerability is only exploitable when Two-Factor Authentication is enabled in the Really Simple Security plugin. Prioritize detection/patching on sites with 2FA active. ↗
- →The flaw can be exploited en masse via automated scripts — look for high-volume, rapid sequential POST requests to the skip_onboarding REST endpoint across multiple sites or with incrementing 'user_id' values. ↗
- →The Metasploit module chains the auth bypass with plugin upload for RCE — detect follow-on plugin upload attempts (POST to wp-admin plugin upload endpoints) immediately after successful authentication from previously unauthenticated sessions. ↗
- ·The vulnerability is only exploitable when the Two-Factor Authentication feature is explicitly enabled in the Really Simple Security plugin — it is disabled by default, so sites that have never enabled 2FA are not vulnerable. ↗
- ·Pro version users with expired licenses have auto-updates disabled and must manually update to 9.1.2 — these sites may remain vulnerable even after the forced update campaign. ↗
- ·Affected versions span all three plugin variants (Free, Pro, and Pro Multisite) from 9.0.0 to 9.1.1.1 — ensure detection/patching covers all three product lines. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f75h-cwp9-8h5x: The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9
ghsa_unreviewed·2024-11-15
CVE-2024-10924 [CRITICAL] CWE-288 GHSA-f75h-cwp9-8h5x: The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
VulnCheck
really-simple-plugins really_simple_security Authentication Bypass Using an Alternate Path or Channel
vulncheck·2024·CVSS 9.8
CVE-2024-10924 [CRITICAL] really-simple-plugins really_simple_security Authentication Bypass Using an Alternate Path or Channel
really-simple-plugins really_simple_security Authentication Bypass Using an Alternate Path or Channel
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
Affected: really-simple-plugins really_simple_security
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
No detection rules found.
Exploit-DB
Really Simple Security 9.1.1.1 - Authentication Bypass
exploitdb·2025-04-15·CVSS 9.8
CVE-2024-10924 [CRITICAL] Really Simple Security 9.1.1.1 - Authentication Bypass
Really Simple Security 9.1.1.1 - Authentication Bypass
---
#!/usr/bin/env python3
# Exploit Title: Really Simple Security 9.1.1.1 - Authentication Bypass
# Date: 2024-11-19
# Exploit Author: Antonio Francesco Sardella
# Vendor Homepage: https://really-simple-ssl.com/
# Software Link: https://really-simple-ssl.com/
# Version: Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1
# Tested on: 'WordPress 6.7.0' in Docker container (vulnerable application), 'Ubuntu 24.04.1 LTS' with 'Python 3.12.3' (script execution)
# CVE: CVE-2024-10924
# Category: WebApps
# Repository: https://github.com/m3ssap0/wordpress-really-simple-security-authn-bypass-exploit
# Vulnerability discovered and reported by: István Márton
# This is a Python3 program that exploits Really Simple Security <
Metasploit
WordPress Really Simple SSL Plugin Authentication Bypass to RCE
metasploit
WordPress Really Simple SSL Plugin Authentication Bypass to RCE
WordPress Really Simple SSL Plugin Authentication Bypass to RCE
This module exploits an authentication bypass vulnerability in the WordPress Really Simple SSL plugin (versions 9.0.0 to 9.1.1.1). The vulnerability allows bypassing two-factor authentication (2FA) and uploading a plugin to achieve remote code execution (RCE). Note: For the system to be vulnerable, 2FA must be enabled on the target site; otherwise, the exploit will not work.
Nuclei
Really Simple Security < 9.1.2 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-10924 [CRITICAL] Really Simple Security < 9.1.2 - Authentication Bypass
Really Simple Security < 9.1.2 - Authentication Bypass
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
Template:
id: CVE-2024-10924
info:
name: Really Simple Security < 9.1.2 - Authentication Bypass
author: yaser_s
severity: critical
description: |
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication
https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L277https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L278https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L67https://plugins.trac.wordpress.org/changeset/3188431/really-simple-sslhttps://www.wordfence.com/blog/2024/11/really-simple-security-vulnerability/https://www.wordfence.com/threat-intel/vulnerabilities/id/7d5d05ad-1a7a-43d2-bbbf-597e975446be?source=cvehttps://github.com/JoshuaProvoste/0-click-RCE-Exploit-for-CVE-2024-10924
2024-11-15
Published
Exploited in the wild