A critical flaw in Really Simple Security allows attackers to log in without a password if AMF is enabled. The vulnerability is so easily exploitable that it is absolutely necessary to fix it as a priority.
A popular plugin Really simple security is the victim of an extremely critical bug. This one was discovered from security specialist Wordfence. Wordfence, which has been providing WordPress security for 12 years, believes this vulnerability is the most serious it has discovered in that period. Approximately four million WordPress sites use Really Simple Security.
The impact of this mistake is great. Due to a faulty line of code in the AMF implementation, the plugin only checks if the user exists in some cases. So when the “login_nonce” parameter is returned as invalid, the plugin continues to authenticate the user based on the identifier only.
Ironically, the error occurs when users of the plugin have implemented MFA and therefore correctly applied security best practices. The error in question is called CVE-2024-10924 and applies to versions 9.0.0 to 9.1.1.1 editions Free, Pro AND For Multisite.
Automatic updates
Version 9.1.2 of the plugin Really simple security no longer contains the error. This update was released on November 12th for free users and on November 14th for Pro users. The developers worked with WordPress to force the update and were successful in many cases, but certainly not for everyone.
It is necessary to immediately check whether version 9.1.2 Really simple security is active. The error is easily exploited by criminals, who can even automate this process. Wordfence Premium, Care and Response have been equipped with a firewall rule to prevent abuse. This policy is available to paying users. Free Wordfence customers will also receive firewall rules on December 6, but it’s not a good idea to wait.
Is your website secure? Really simple security (formerly Really simple SSL) ? In this case, immediately check that version 9.1.2 is not already installed.