Critical WordPress Plug-in Flaw Exposes 4M Sites to Takeover

A WordPress plug-in installed on more than 4 million websites exposes them to full administrative takeover through a scripting flaw that potentially can be used to launch large-scale automated attacks against multiple sites.

Researchers from Wordfence called the authentication bypass flaw "one of the more serious vulnerabilities" that they have ever identified, uncovering it earlier this month in a plug-in from Really Simple Security that provides WordPress security features for sites, according to a recent blog post. The flaw, rated with a critical CVSS score of 9.8, affects the Really Simple Security Pro and Pro Multisite plug-ins, versions 9.0.0 to 9.1.1.1.

"The vulnerability makes it possible for an attacker to remotely gain access to any account on the site, including the administrator account, when the two-factor authentication (2FA) feature is enabled," Wordfence security researcher Istvan Marton wrote in the post.

The flaw exists due to improper user check error handling in the two-factor REST API actions with the "check_login_and_get_user" function, according to Wordfence. Moreover, because the flaw is scriptable, it can be weaponized against numerous WordPress sites simultaneously in an automated way.

Due to the critical nature of the bug, Wordfence acted quickly after discovering the flaw on Nov. 6 to work with the Really Simple Security team to mitigate it. After immediately disclosing the flaw to the vendor, a patched update, version 9.1.2, was released publicly on Nov. 12. Then, on Wordfence's advice, Really Simple Security force-updated all sites running the plug-in two days later.

Related:Akamai Reports Third Quarter 2024 Financial Results

Still, Wordfence recommended that any administrator with a site that uses the plug-in confirm that it has been automatically updated to the patched version, as "it appears that sites without a valid license may not have auto-updates functioning," Marton noted in the post.

New 'Really Simple Security' Feature Introduces Flaw

The Really Simple Security plug-in was formerly known as Really Simple SSL; it was renamed in its latest major version update, which also expanded the plug-in with security features such as log-in protection, vulnerability detection, and 2FA.

During this revamp, one of the features adding 2FA "was insecurely implemented" to introduce the flaw, which allows an attacker to create a simple request to gain access to any user account with 2FA on.

Specifically, the plug-in uses the skip_onboarding() function in the Rsssl_Two_Factor_On_Board_Api class to handle authentication via REST API that returns a WP_REST_Response error in case of a failure. However, this is not handled within the function, which "means that even in the case of an invalid nonce, the function processing continues and invokes authenticate_and_redirect()," Marton wrote. This "authenticates the user based on the user id passed in the request, even when that user’s identity hasn’t been verified," he wrote.

Related:DHS Releases Secure AI Framework for Critical Infrastructure

Ultimately, this makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plug-in.

"As always, authentication bypass vulnerabilities and resulting access to high privileged user accounts make it easy for threat actors to completely compromise a vulnerable WordPress site and further infect it," Marton explained.

Wordfence: Spread the Word, Check Your Plug-ins

Due to its widespread use as a foundation for millions of websites, the WordPress platform and its plug-ins especially are a notoriously popular threat target for threat actors, giving them easy access to a broad attack surface. Attackers particularly like to exploit singular plug-ins with large install bases, making flaws like the one found in Really Simple Security's plug-in an attractive target.

Related:Microsoft Pulls Exchange Patches Amid Mail Flow Issues

Even though most sites using the plug-in should have been updated already, Wordfence still advises that users spread the word to ensure the broadest patch coverage possible due to the critical nature of the flaw.

"If you know someone who uses these plugins on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk," Marton wrote in the post.