CVE-2024-10924

Published Nov 15, 2024

Last updated 2 days ago

Insights

Analysis from the Intruder Security Team

Published Nov 15, 2024

This is a wormable vulnerability that is very easy to exploit and we expect imminent and automated exploitation of this vulnerability.

As for the pre-requisites, for the explioit to work no user of the application needs to have "Two Factor Authentication" (2FA) enabled within Really SImple Security. As soon as the 2FA feature is enabled, an unauthenticated attacker can make a request to the vulnerable function and WordPress will return a valid session token for the victim.

A partial proof of concept has been released which does not work out of the box. However, due to how simple this vulnerability is, it requires little effort to get it working.

Overview

Description: The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
Source: security@wordfence.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

security@wordfence.com: CWE-288

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 1

Insights

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

References