VDB

CVE-2024-10924

CVE-2024-10924 PUBLISHED CVSS 9.800000190734863 CRITICAL

The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).

EPSS 93.89% · 99.9th percentile

Risk Scores

CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
93.89%
99.9th percentile

Affected Products

VendorProductVersions
rogierlankhorstReally Simple Security – Simple and Performant Security (formerly Really Simple SSL)9.0.0, 9.0.0
Really Simple PluginsReally Simple Security Pro9.0.0, 9.0.0
Really Simple PluginsReally Simple Security Pro multisite9.0.0, 9.0.0
really-simple-pluginsreally_simple_security9.0.0, 9.0.0
really-simple-pluginsreally_simple_security9.0.0, 9.0.0, 9.0.0

Timeline

  • Jan 21, 1970 Metasploit Module
  • Jan 21, 1970 Nuclei Template
  • Jan 21, 1970 Fix Commit
  • Jan 6, 2024 CrowdSec Sighting
  • Nov 15, 2024 EPSS Score
  • Nov 15, 2024 Coalition ESS Score
  • Nov 15, 2024 CVE Published
  • Nov 15, 2024 PoC Published
  • Nov 15, 2024 PoC Published
  • Nov 15, 2024 PoC Published
  • Nov 17, 2024 PoC Published
  • Nov 18, 2024 PoC Published

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›