A severe authentication bypass vulnerability has been identified in Really Simple Security (formerly Really Simple SSL), a widely-used WordPress SSL plugin, enabling unauthorized attackers to obtain complete administrative control of affected websites.

With over a million websites utilizing its features, the plugin provides SSL setup, login security measures, two-factor authentication capabilities, and continuous vulnerability monitoring.

Security firm Wordfence identified the vulnerability and described it as among the most critical security issues discovered during its twelve years of operation.

There is a new security patch available and an update is highly recommended.

Read further below to learn more.

WordPress SSL Plugin Security Flaw – details

The severe vulnerability, labeled CVE-2024-10924, becomes exploitable when two-factor authentication (2FA) is active.

The flaw stems from incorrect authentication management within the plugin’s two-factor REST API operations.

This vulnerability permits authentication bypass and unauthorized entry to all user accounts, including administrator profiles.

The security flaw affects versions 9.0.0 through 9.1.1.1 across “free,” “Pro,” and “Pro Multisite” editions.

Understanding the CVE-2024-10924 Security Patch

The plugin development team promptly resolved the issue by implementing proper verification failure handling.

Security updates were released in version 9.1.2, launching November 12 for Pro users and November 14 for free version users.

The developers collaborated with WordPress.org to implement forced security updates for plugin users.

Nevertheless, website administrators must verify their installation runs version 9.1.2.

Pro version users with expired licenses have automatic updates disabled, requiring manual installation of version 9.1.2.