A critical-severity vulnerability in the Really Simple Security plugin for WordPress potentially exposed four million websites to complete takeover, WordPress security firm Defiant warns.

Tracked as CVE-2024-10924 (CVSS score of 9.8), the issue is described as an authentication bypass that allows an unauthenticated attacker to log in as any user, including an administrator.

According to Defiant, the security defect exists because of an improper user check error handling in the plugin’s two-factor REST API action. Specifically, the bug is triggered if two-factor authentication (2FA) is enabled.

Formerly known as Really Simple SSL and used by more than four million WordPress websites, the Really Simple Security plugin enables site administrators to add various security features, including 2FA, login protections, vulnerability detection, and more.

The critical vulnerability was identified in one of the features adding 2FA, which was insecurely implemented, Defiant explains.

The function does not handle an error returned when user verification fails, resulting in the user being authenticated based on the supplied ID even if the identification has not been verified.

“Ultimately, this makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plugin,” Defiant explains.

Successful exploitation of CVE-2024-10924 and other authentication bypass flaws that provide access to high-privileged accounts enable threat actors to easily compromise vulnerable WordPress sites and abuse them for further attacks.

The vulnerability was reported to Really Simple Security’s maintainers on November 6 and patches were rolled out for the Pro and Free plugin iterations on November 12 and November 14, respectively.

Really Simple Security version 9.1.2, which resolves the bug, was automatically pushed out by the WordPress team. All site administrators using the plugin are advised to verify that they are running the patched version.

“Due to the critical severity of this vulnerability (CVSS score 9.8 Critical), the plugin vendor worked with the WordPress.org plugins team to push a forced security update to the patched version, 9.1.2, for anyone running a vulnerable version of the plugin,” Defiant notes.

Related: Critical Vulnerability Patched in 101 Releases of WordPress Plugin Jetpack

Related: Websites of EU Mobile Providers Fail to Properly Secure User Data: Report

Related: Lottie-Player Supply Chain Attack Targets Cryptocurrency Wallets

Related: Several Vulnerabilities Patched With Release of WordPress 5.4.1