CVE-2024-10924

Published Nov 15, 2024

Last updated 2 months ago

CVSS critical 9.8

Insights

Analysis from the Intruder Security Team
Published Nov 15, 2024

This is a wormable vulnerability that is very easy to exploit and we expect imminent and automated exploitation of this vulnerability.

As for the pre-requisites, for the exploit to work, at least one user of the application needs to have "Two Factor Authentication" (2FA) enabled within Really Simple Security. As soon as the 2FA feature is enabled, an unauthenticated attacker can make a request to the vulnerable function and WordPress will return a valid session token for the victim.

A partial proof of concept has been released which does not work out of the box. However, due to how simple this vulnerability is, it requires little effort to get it working.

Overview

Description
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
Source
security@wordfence.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

nvd@nist.gov
CWE-306
security@wordfence.com
CWE-288

Social media

Hype score
Not currently trending

  1. 🚨 Attention WordPress users! A critical vulnerability (CVE-2024-10924) in the Really Simple Security plugin allows unauthorized access to your site, bypassing two-factor authentication. Update the plugin immediately to stay secure! Learn More: https://t.co/UWfFvkKavD 🚨 تنبيه…

    @KasperskyKSA

    23 Dec 2024

    221 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2024-10924: vulnerability on around four million sites https://t.co/KjacodCPpv #Vulnerability #cybersecurity #Web #Bugs #Hackers #Technology #Software #Malicious

    @QS2Point

    21 Dec 2024

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. The WordPress ecosystem just dodged a bullet. CVE-2024-10924, affecting 4M+ sites via the Really Simple Security plugin, could grant attackers admin access. A patch was issued, but is your site updated? Don’t wait, secure your site now! https://t.co/jkklUcJdJx

    @Shift6Security

    3 Dec 2024

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Top 5 Trending CVEs: 1 - CVE-2024-38063 2 - CVE-2023-50428 3 - CVE-2024-10924 4 - CVE-2024-11477 5 - CVE-2024-44308 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    2 Dec 2024

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. #JaideAMafacon : Alerte de sécurité massif : Le contournement de l'authentification CVE-2024-10924 affecte 4 millions d'utilisateurs de WordPress dans le monde, dont plusieurs sites de ministères et d'entreprises au Cameroun. Lire mon article complet. https://t.co/NIfawIwBxK

    @banzance

    2 Dec 2024

    117 Impressions

    2 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🔥NUEVO VÍDEO🔥 Veremos la explotación de la reciente vulnerabilidad crítica en WordPress con el plugin Really Simple Security instalado (CVE-2024-10924), la cual permite hacer un bypass del MFA y acceder al interior de una web 😋👇 https://t.co/x7wlKeaqOu

    @PinguinoDeMario

    27 Nov 2024

    2164 Impressions

    17 Retweets

    59 Likes

    21 Bookmarks

    2 Replies

    0 Quotes

  7. Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites The vulnerability, tracked as CVE-2024-10924, impacts both free and premium versions of the plugin. The software is installed on over 4 million WordPress sites. Read More: https://t.co/FGQQTKgzr0 https:

    @pinakinit1

    25 Nov 2024

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Your website's security might be at risk! A critical WordPress plugin flaw (CVE-2024-10924) can let attackers log in as admin. The great news? Patches are out! Update now to keep your site protected and secure. #WordPress #CyberSecurity https://t.co/QKruLrlKTG

    @sequretek_sqtk

    22 Nov 2024

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. 🚨 Milyonlarca WordPress Sitesini Tehdit Eden Kritik Güvenlik Açığı! 🚨 CVE-2024-10924 kodlu güvenlik açığı, 4 milyon WordPress sitesi için tehdit oluşturuyor. Bu açık, saldırganların web sitenizde uzaktan kod çalıştırmasına (RCE) fırsat veriyor komik yanı ise açık,DarkWebde… ht

    @AydemirSerhat

    21 Nov 2024

    47 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  10. 🚨 Security Alert: A critical vulnerability (CVE-2024-10924) in the 'Really Simple Security' plugin for WordPress allows attackers to bypass authentication and gain admin access. Update to version 9.1.2 or later immediately to protect your site! #Cybersecurity #Ostorlab… https:/

    @OstorlabSec

    21 Nov 2024

    57 Impressions

    2 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Actively exploited CVE : CVE-2024-10924

    @transilienceai

    21 Nov 2024

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  12. #KDaily@kaspersky CVE-2024-10924: уязвимость на 4 миллионах сайтов В популярном плагине для усиления безопасности сайта на WordPress обнаружена уязвимость, допускающая обход аутентификации. https://t.co/UieQG0stPt

    @kmscom6

    20 Nov 2024

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. #KDaily@kaspersky CVE-2024-10924: уязвимость на 4 миллионах сайтов В популярном плагине для усиления безопасности сайта на WordPress обнаружена уязвимость, допускающая обход аутентификации. https://t.co/p5ZJZW5Vps

    @kmscom3

    20 Nov 2024

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. 0-click RCE Exploit for CVE-2024-10924 that affects 4 million WP sites 🤪 Secure your site ASAP! #WordPress #BugBounty #BugBountyTips https://t.co/FQom2ThXuO

    @JoshuaProvoste

    20 Nov 2024

    22953 Impressions

    57 Retweets

    316 Likes

    198 Bookmarks

    5 Replies

    0 Quotes

  15. 🚨 A critical vulnerability (CVE-2024-10924) in the Really Simple Security plugin for WordPress exposes over 4 million sites! With a CVSS score of 9.8, it allows attackers to bypass authentication and gain full admin access. Ouch! Stay sharp, and remember: always check for… htt

    @mpgone_it

    20 Nov 2024

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. 🚨 Security Alert: CVE-2024-10924 🔴 Severity: Critical 🔍 Affected Systems: Really Simple Security Plugin 💡 Risk: Account takeover vulnerability ⚠️ Action Required: Update plugin 💻 Read More: https://t.co/W3SBWwZM1x #CyberSecurity #CVE #Wordpress https://t.co/uOZK2yrFAU

    @HostStage

    19 Nov 2024

    50 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. The #vulnerability, tracked as CVE-2024-10924 (CVSS score: 9.8), impacts both free and premium versions of the plugin. The #software is installed on over 4 million #WordPress sites. https://t.co/CYNv7Yhb03

    @BLACKWATCHIRE24

    19 Nov 2024

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. Falha crítica em plugin de segurança amplamente utilizado expõe milhões de sites WordPress: a vulnerabilidade “CVE-2024-10924”, identificada na extensão “Really Simple Security”, permite que invasores remotos obtenham acesso administrativo às páginas vulneráveis, quando a

    @BotDeschamps

    19 Nov 2024

    33 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  19. A critical flaw in the Really Simple Security plugin (CVE-2024-10924) impacts 4M+ WordPress sites, allowing attackers full admin access if two-factor authentication is enabled. Update to 9.1.2 immediately to secure your site. #WordPress #CyberSecurity https://t.co/D5yHDnArn0

    @Insights_things

    19 Nov 2024

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. #CybersecurityUpdate: Il plugin "Really Simple Security" di #WordPress, fondamentale per oltre 4 milioni di siti, presenta una grave vulnerabilità (CVE-2024-10924, CVSS 9.8) che implica rischi significativi di bypass dell'autenticazione. Gli sviluppatori hanno introdotto… https:/

    @cyber_net_now

    19 Nov 2024

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. 𝗩𝗶𝘀𝘁𝗲𝗺 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻𝘀, 𝗜𝗻𝗰. - "Enhancing your business securely through innovation and technology." Please be advised that a critical vulnerability (CVE-2024-10924) has been discovered in the Really Simple Security plugin, which could allow attackers to gain admin…

    @VistemSolutions

    19 Nov 2024

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites. A critical authentication bypass vulnerability CVE-2024-10924 (CVSS score: 9.8) has been disclosed in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress. https://t.co/KhMhKWwHh4 https:

    @riskigy

    18 Nov 2024

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. Warning: Critical vulnerability in the popular @wordpress plugin Really Simple Security. #CVE-2024-10924 CVSS: 9.8. Can lead to attackers logging in as any user on the website - incl. administrators - so #Patch #Patch #Patch. More info: https://t.co/vDa95TK6v0

    @CCBalert

    18 Nov 2024

    253 Impressions

    1 Retweet

    0 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  24. ثغرة أمنية حرجة (CVE-2024-10924) في مكون Really Simple SSL تؤثر على أكثر من 4 ملايين موقع WordPress، مما يسمح للمهاجمين بتجاوز 2FA والحصول على وصول المسؤول عن بُعد. التفاصيل هنا: https://t.co/L40H9Z1ojn التصحيح متاح—تحديث الآن!

    @CERT_Arabic

    18 Nov 2024

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. 🚨Alert🚨CVE-2024-10924: 'Really Simple Security' plugin authentication bypass vulnerability in WordPress exposes websites to takeover and provides full administrative access. 📊 3.5K+ Services are found on https://t.co/ysWb28BTvF yearly. 🔗Hunter Link: https://t.co/eHG9BFarNv…

    @HunterMapping

    18 Nov 2024

    11789 Impressions

    54 Retweets

    178 Likes

    84 Bookmarks

    1 Reply

    0 Quotes

  26. WordPress Plugin Vulnerability Exposes 4M+ Websites To Hackers: https://t.co/Xt6CVyasBJ A critical vulnerability (CVE-2024-10924) in the Really Simple Security plugin, affecting over 4 million WordPress sites, allows unauthenticated attackers to bypass two-factor authentication…

    @securityRSS

    18 Nov 2024

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. 🚨 ALERTE CRITIQUE pour les utilisateurs WordPress ! Une faille massive dans le plugin Really Simple Security (CVE-2024-10924) expose + de 4M de sites ! Exploitable même avec 2FA, elle permet …👇👇👇 (Suite ci-dessous) #Cybersécurité #WordPress #FailleSécurité https://t.co/Ttdx

    @hackthedevils

    18 Nov 2024

    19 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  28. 🚨WordPressプラグインの重大な欠陥:サイト400万件以上が乗っ取られていた恐れ(CVE-2024-10924) 〜サイバーセキュリティ週末のニュース〜 https://t.co/dIdfwai61x #セキュリティ #インテリジェンス #OSINT

    @MachinaRecord

    18 Nov 2024

    81 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. CVE-2024-10924 WordPress / Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 – 9.1.1.1 – Authentication Bypass / POC https://t.co/gHCG7qOlBg

    @turne85540

    18 Nov 2024

    73 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. TheHackersNews: A critical #vulnerability (CVE-2024-10924) in the Really Simple SSL plugin affects 4 Million+ #WordPress sites, allowing attackers to bypass 2FA and gain admin access remotely. Details here: https://t.co/IkURWHaxyb Patch available—update now!

    @jvquantum

    18 Nov 2024

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. A critical #vulnerability (CVE-2024-10924) in the Really Simple SSL plugin affects 4 Million+ #WordPress sites, allowing attackers to bypass 2FA and gain admin access remotely. Details here: https://t.co/tkk0imUeKm Patch available—update now!

    @TheHackersNews

    18 Nov 2024

    42908 Impressions

    62 Retweets

    117 Likes

    33 Bookmarks

    3 Replies

    7 Quotes

  32. WordpressのセキュリティプラグインであるReally Simple Securityに脆弱性(CVE-2024-10924)が発見され、攻撃者が容易に管理者権限を悪用可能とのこと。また改竄サイト激増の予感。 https://t.co/S12oS7LMFi

    @x64koichi

    18 Nov 2024

    3275 Impressions

    10 Retweets

    43 Likes

    13 Bookmarks

    1 Reply

    1 Quote

  33. به تازگی آسیب پذیری با کد شناسایی CVE-2024-10924 برای پلاگین معروف Wordpress به نام Really Simple Security منتشر شده است که ۴ میلیون وب سایت wordpress در معرض هک شدن در سراسر دنیا می باشند. نسخه های 9.0.0 تا 9.1.1.1 این پلاگین دارای این آسیب پذیری می باشد. https://t.co/Poz3aKY03t

    @AmirHossein_sec

    17 Nov 2024

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. #WordPress Over 4mln WordPress websites were impacted by a critical 'Really Simple Security' plugin authentication bypass vulnerability CVE-2024-10924 (CVSS score 9.8) exposing websites to takeover and providing full administrative access: 👇 https://t.co/EX9Wdwveir https://t.co

    @securestep9

    16 Nov 2024

    68 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  35. Critical security vulnerability CVE-2024-10924 in WordPress Really Simple Security plugin affects 4M+ websites. Patch available in version 9.1.2. More details here: https://t.co/AhVs5SuVMF #WordPress #ReallySimpleSecurity #Vulnerability

    @CandidTodayTech

    15 Nov 2024

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. CVE-2024-10924 The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to i… https://t.co/q4lohITdci

    @CVEnew

    15 Nov 2024

    513 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. CVE-2024-10924 (CVSS 9.8): Authentication Bypass in Really Simple Security Plugin Affects 4 Million Sites https://t.co/OlvSLmOPpl

    @Dinosn

    15 Nov 2024

    2473 Impressions

    11 Retweets

    18 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  38. After almost a year, here’s another blog post about a vulnerable plugin (CVE-2024-10924): https://t.co/fdQH8ELE54 #WordPressPlugins #PatchNow

    @the_pesc

    14 Nov 2024

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  39. 【無要素認証】400万サイトが使用しているWordPressのReally Simple Securityプラグインに重大(Critical)な認証回避の脆弱性。FreeとPro双方に影響。CVE-2024-10924はCVSSスコア9.8。nonceエラーを起こすと二要素認証機能が通過した扱いとなりIDだけでログイン可能。https://t.co/fquH4J9oSF https://t.co/imXn1mbcgI

    @__kokumoto

    14 Nov 2024

    2184 Impressions

    11 Retweets

    14 Likes

    6 Bookmarks

    0 Replies

    2 Quotes

Configurations

References