cbcvebase.
CVE-2024-10924
published 2024-11-15

CVE-2024-10924: The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
81.72%
99.6th percentile
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).

Affected

4 ranges
VendorProductVersion rangeFixed in
really-simple-pluginsreally_simple_security>= 9.0.0 < 9.1.29.1.2
really_simple_pluginsreally_simple_security_pro9.0.0 – 9.1.1.1
really_simple_pluginsreally_simple_security_pro_multisite9.0.0 – 9.1.1.1
rogierlankhorstreally_simple_security_simple_and_performant_security9.0.0 – 9.1.1.1

Detection & IOCsextracted from sources · hover to see the quote

url/?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding
path/reallysimplessl/v1/two_fa/skip_onboarding
path/wp-content/plugins/really-simple-ssl
yara
id: CVE-2024-10924 (Nuclei template — POST to /?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding with user_id and invalid login_nonce, response contains '"redirect_to":"\/wp-admin\/"')
  • Monitor for unauthenticated POST requests to the REST API endpoint '?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding' — this is the specific endpoint abused to trigger the authentication bypass.
  • Alert on HTTP 200 responses to the skip_onboarding endpoint that set authentication cookies (Set-Cookie header present, does not contain '=deleted;') and include 'redirect_to' in the response body — this indicates a successful bypass.
  • The exploit payload sends a JSON body with 'user_id' (typically 1 for admin) and a random/invalid 'login_nonce' — detect POST bodies to the REST endpoint containing both 'user_id' and 'login_nonce' fields from unauthenticated sessions.
  • Scan WordPress installations for the presence of the vulnerable plugin path '/wp-content/plugins/really-simple-ssl' running versions 9.0.0 through 9.1.1.1.
  • The vulnerability is only exploitable when Two-Factor Authentication is enabled in the Really Simple Security plugin. Prioritize detection/patching on sites with 2FA active.
  • The flaw can be exploited en masse via automated scripts — look for high-volume, rapid sequential POST requests to the skip_onboarding REST endpoint across multiple sites or with incrementing 'user_id' values.
  • The Metasploit module chains the auth bypass with plugin upload for RCE — detect follow-on plugin upload attempts (POST to wp-admin plugin upload endpoints) immediately after successful authentication from previously unauthenticated sessions.
  • ·The vulnerability is only exploitable when the Two-Factor Authentication feature is explicitly enabled in the Really Simple Security plugin — it is disabled by default, so sites that have never enabled 2FA are not vulnerable.
  • ·Pro version users with expired licenses have auto-updates disabled and must manually update to 9.1.2 — these sites may remain vulnerable even after the forced update campaign.
  • ·Affected versions span all three plugin variants (Free, Pro, and Pro Multisite) from 9.0.0 to 9.1.1.1 — ensure detection/patching covers all three product lines.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.