Millions of WordPress sites potentially hijackable due to critical plugin bug

More than four million WordPress sites could be completely compromised with the exploitation of a critical authentication bypass flaw within the Really Simple Security plugin, tracked as CVE-2024-10924, reports SecurityWeek.

Malicious actors could leverage the vulnerability, which stems from improper user check error management in the two-factor REST API action, to facilitate high-privileged account breaches that could then be used for additional attacks, according to Defiant, a WordPress security provider. The absence of error management in the event of failed user verification enables ID-based authentication and "makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plugin," Defiant added. Administrators have been urged to ensure that their websites have Really Simple Security version 9.1.2, which has been automatically deployed by WordPress after the plugin's maintainers issued separate patches for the Pro and Free versions of the plugin.