CVE-2024-10924: Authentication Bypass Vulnerability in Really Simple Security Plugins for WordPress

Really Simple Security plugins (Free, Pro, and Pro Multisite) are popular security plugins for WordPress. They help to secure your WordPress website with features such as Two-Factor Authentication (2FA), Google reCAPTCHA, and more. However, it has been discovered that versions 9.. to 9.1.1.1 of these plugins are vulnerable to authentication bypass. This vulnerability allows an unauthenticated attacker to log in as any existing user on the site, including administrators.

Vulnerability Details

The vulnerability occurs due to improper user check error handling in the two-factor REST API actions with the check_login_and_get_user function. When the "Two-Factor Authentication" setting is enabled (which is disabled by default), unauthenticated attackers can bypass the 2FA process and gain access to the user account. This is a critical vulnerability, as it allows attackers to potentially gain administrative access to the affected WordPress site.

Here is a code snippet demonstrating the problematic code in check_login_and_get_user function

function check_login_and_get_user( $username, $password ) {
    $user = wp_authenticate( $username, $password );
    
    if ( is_wp_error( $user ) ) {
        return $user;
    }
    
    if ( empty( $user->ID ) ) {
        // this line should be replaced with "return new WP_Error( ... );"
        return null;
    }

    return $user;
}

As shown in the code snippet above, if the wp_authenticate function fails to authenticate the user (e.g. due to an incorrect password), instead of returning an error, the function returns null. This incorrect error handling allows attackers to bypass the authentication process.

Exploit Example

An attacker can exploit this vulnerability by sending a specially crafted request to the WordPress site's REST API. The following is an example of a vulnerable REST API request:

POST /wp-json/rs-security/v1/login?_locale=user HTTP/1.1
Host: vulnerable-site.com
Content-Type: application/x-www-form-urlencoded

username=admin&password=incorrect-password&2fa_token=123456

Notice that the password parameter is set to an incorrect value. In the vulnerable plugin versions, the server will not return an authentication error but instead null, granting the attacker access to the account.

Original References

- CVE-2024-10924
- CVE Details
- Exploit Database

Solution

To fix this vulnerability, it is recommended to update the Really Simple Security plugins to version 9.1.1.2 or later, which includes proper error handling and prevents the authentication bypass. Additionally, it is essential to keep your WordPress plugins and themes updated regularly to ensure the security of your site.

While the issue has been resolved in the latest plugin versions, to further secure your site, consider taking additional security measures, such as:

Regularly monitoring for security updates and patches

In conclusion, CVE-2024-10924 is a critical vulnerability affecting the Really Simple Security plugins for WordPress. Website administrators must take immediate action to update their plugins, secure their WordPress installations, and protect their users' data.

Timeline

Published on: 11/15/2024 04:15:03 UTC
Last modified on: 11/19/2024 14:15:17 UTC