Authentication Bypass in Really Simple Security WordPress Plugins
The Really Simple Security plugins for WordPress, including Free, Pro, and Pro Multisite, have an authentication bypass vulnerability in versions 9.0.0 to 9.1.1.1. This happens because of improper handling of user checks in the two-factor REST API actions, specifically in the 'check_login_and_get_user' function. This flaw allows attackers who are not logged in to access any user account on the site, including administrator accounts, if the "Two-Factor Authentication" setting is turned on, although it is off by default.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
really-simple-plugins really simple security |
Security plugin flaw in millions of WordPress sites gives admin access By Bill Toulas November 17, 2024 10:19 AM 0 A critical authentication bypass vulnerability has been discovered impacting the WordPress plugin 'Really Simple Security' (formerly 'Really Simple SSL'), including both free and Pro versions. Really Simple Security is a security plugin for the WordPress platform, offering SSL configuration, login protection, a two-factor authentication layer, and real-time vulnerability detect...