CVE-2024-10924

Name of the Vulnerable Software and Affected Versions Really Simple Security (Free, Pro, and Pro Multisite) versions 9.0.0 through 9.1.1.1

Description The Really Simple Security plugins for WordPress are affected by an authentication bypass issue. This is due to improper user check error handling in the two-factor REST API actions with the check login and get user function. This allows unauthenticated attackers to log in as any existing user on the site, including administrators, when the "Two-Factor Authentication" setting is enabled. This vulnerability, tracked as CVE-2024-10924, has a CVSS score of 9.8 (Critical) and impacts over 4 million WordPress sites. The vulnerability is actively exploited in the wild. Attackers can bypass two-factor authentication and gain full administrative access to vulnerable sites. The check login and get user function is involved in the authentication process.

Recommendations Update Really Simple Security to version 9.1.2 or later.