Critical Authentication Bypass Flaw Affects 4 Million WordPress Sites

A highly dangerous vulnerability in the Really Simple Security plugin, affecting over 4 million WordPress websites, has been disclosed by Wordfence. The flaw, rated with a CVSS score of 9.8 (critical), allows attackers to bypass authentication and gain administrative control over affected sites. Both free and premium versions of the plugin, previously known as Really Simple SSL, are impacted.

Taking over admin accounts

Really Simple Security is a widely used plugin designed to enhance WordPress site security with features such as vulnerability detection, login protection, and two-factor authentication. However, a flaw in the check_login_and_get_user function, used for REST API authentication, failed to properly verify user identities. This oversight allowed unauthorized attackers to bypass security measures and gain administrative access.

The vulnerability affects plugin versions 9.0.0 through 9.1.1.1 across the Free, Pro, and Pro Multisite variants.

Discovery and patch timeline

The vulnerability was discovered on November 6, 2024, by Wordfence's Threat Intelligence team, specifically researcher István Márton, during routine analysis.

“This is one of the more serious vulnerabilities that we have reported on in our 12 year history as a security provider for WordPress,” warns the researcher on his write-up.

It stems from improper error handling in the plugin's two-factor authentication feature. Exploiting this flaw, attackers can remotely log in as any user, including administrators, if two-factor authentication is enabled. This functionality is disabled by default, but many users have activated it for security reasons, which works the opposite way in this case.

The Really Simple Plugins team was contacted immediately, and the patched version, 9.1.2, was released for Pro users on November 12 and for Free users on November 14. To mitigate risks, WordPress initiated forced updates for the affected plugin versions, a rare move underscoring the severity of the vulnerability.

Site administrators without valid plugin licenses are urged to verify their update status manually, as auto-updates may not function for these installations.

To safeguard against this critical vulnerability, site administrators should verify that the forced update was successful via the WordPress admin dashboard, and they're on version 9.1.2. If updating is impossible, it is recommended to disable two-factor authentication temporarily until the patch is applied.

For hosting providers, it's recommended that updates be enforced and hosting environments scanned for vulnerable versions. Site owners are encouraged to spread awareness within the WordPress community to ensure unmaintained sites receive updates promptly.