Many WordPress websites at risk are exposed to a critical WordPress Security Plugin vulnerability, leading to unauthorized administrator access. This authentication bypass flaw found in the Really Simple Security underscores how urgent action is required of site owners.
The Really Simple Security plugin has a threat score of 9.8 out of 10, indicating how easy it is to exploit this vulnerability. Attackers will have login access to websites as any user, that is, users with administrative permissions. These flaws are categorized as Unauthenticated Access Vulnerabilities and are especially worrying because exploitation requires no knowledge of a user’s credentials.
Unauthorized access risks soar with WordPress plugin vulnerability
This means that unauthenticated attackers can access restricted areas on a site without a username and a password. In particular, the problem exists in versions 9.0.0 to 9.1.1.1 of the plugin due to a lack of proper user validation error handling in its two-factor REST API actions. Guess what—according to Wordfence researchers, whether you have two-factor authentication enabled or not, this vulnerability can be exploited.
In under 24 hours, Wordfence received notification that it was blocking more than 310 attacks targeting this specific weakness. It is already installed on well over 4 million sites, so there is a high risk for those who haven’t prepared to keep their plugins up to date. As the vulnerability is scriptable, the risk of mass exploitation is high, and the rapid deployment of potentially malicious activities is high as well.
Before disclosing this flaw, developers of this flaw had a week’s head start to roll out a patch in their 9.1.2 version. This latest version’s changelog explicitly mentions the address of the authentication bypass issue. This is the first official WordPress plugin that rallied with me to reactively send out version bump announcements to the websites running the vulnerable versions before the public announcement of the FLAW to give the last chance to proactively update it.
Patch details and responses from the community
This is not the first time we hear about WordPress vulnerabilities; it certainly will not be the last. Still, we can say that this security issue follows relatively closely after another critical security issue for the WPLMS Learning Management System was discovered. As a clarification, the Really Simple Security flaw works with both the free and premium editions, so everyone needs to scour their site’s security right now.
Wordfence’s analysis highlights how the vulnerability arises from a specific function called “check_login_and_get_user.” The oversight means that an attacker can simply submit a specially crafted request to log into any existing user account, including the administrator’s account. Experts warn that the activity has the potential for malicious consequences, such as stealing a website from the perpetrators and further malicious actions.
Due to this highly critical vulnerability, we advise anyone using the Really Simple Security plugin to update version 9.1.2 immediately or later. The safeguard against such vulnerabilities is to keep security plugins updated to their latest versions. With the alarmingly high installations, the consequences of inaction could be very bad for thousands and thousands of website owners who don’t apply needed updates.
However, security experts once again lament that we must adopt a layered security approach. Any site admin should perform regular backups, strong passwords, and comprehensive security scans to remedy the situation beyond updating plugins.
Images credit: Furkan Demirkaya/Ideogram
