WordPress Security Plugin Vulnerability Endangers 4 Million+ Sites via @sejournal, @martinibuster

A captious vulnerability was discovered successful a fashionable WordPress information plugin with implicit 4 cardinal installations. The flaw allows attackers to log successful arsenic immoderate user, including administrators, and summation afloat entree to their site-level permissions. Assigned a menace people of 9.8 retired of 10, it underscores the easiness of exploitation and the imaginable for afloat tract compromise, including malware injection, unauthorized contented changes, and attacks connected tract visitors.

Really Simple Security

Really Simple Security is simply a WordPress plugin that was developed to amended absorption of WordPress sites against exploits (called information hardening), alteration two-factor authentication, observe vulnerabilities and it besides generates an SSL certificate. One of the reasons it promotes itself arsenic lightweight is due to the fact that it’s designed arsenic a modular bundle that allows users to take what information enhancements to alteration truthful that (in theory) the processes for disabled capabilities don’t load and dilatory down the website. It’s a fashionable inclination successful WordPress plugins that allows a bundle to bash galore things but lone bash the tasks that a idiosyncratic requires.

The plugin is promoted done affiliate reviews and according to Google AI Overview enjoys highly affirmative reviews. Over 97% of reviews connected the authoritative WordPress repository are rated with 5 stars, the highest imaginable rating, with little than 1% standing the plugin arsenic 1 star.

What Went Wrong?

A information flaw successful the plugin makes it susceptible to authentication bypass, which is simply a flaw that allows an attacker to entree areas of a website that necessitate a username and a password without having to supply credentials. The vulnerability circumstantial to Really Simple Security allows an attacker to get entree of immoderate registered idiosyncratic of the website, including the administrator, simply by knowing the idiosyncratic name.

This is called an Unauthenticated Access Vulnerability, 1 of astir terrible kinds of flaws due to the fact that it is mostly easier to exploit than an “authenticated” flaw which requires an attacker to archetypal attain the idiosyncratic sanction and password of a registered user.

Wordfence explains the nonstop crushed for the vulnerability:

“The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are susceptible to authentication bypass successful versions 9.0.0 to 9.1.1.1. This is owed to improper idiosyncratic cheque mistake handling successful the two-factor REST API actions with the ‘check_login_and_get_user’ function. This makes it imaginable for unauthenticated attackers to log successful arsenic immoderate existing idiosyncratic connected the site, specified arsenic an administrator, erstwhile the “Two-Factor Authentication” mounting is enabled (disabled by default).

Wordfence blocked 310 attacks targeting this vulnerability successful the past 24 hours.”

Recommended Course Of Action:

Wordfence encourages users of the plugin to update to Really Simple Security mentation 9.1.2 (or higher version).

The Really Simple Security plugin’s changelog responsibly announces the crushed for the updated software:

“Changelog
9.1.2
security: authentication bypass”

Read the Wordfence information advisory:

Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 – 9.1.1.1 – Authentication Bypass

Featured Image by Shutterstock/Tithi Luadthong

SEJ STAFF Roger Montti Owner - Martinibuster.com astatine Martinibuster.com

I person 25 years hands-on acquisition successful SEO, evolving on with the hunt engines by keeping up with the latest ...