WordPress has found itself at the center of another security issue. A widely-used plug-in is vulnerable, potentially allowing attackers to take over an entire website.

Critical Vulnerability Detected

More than 4 million sites are using a WordPress plug-in called Really Simple Security. This plug-in had a flaw that left sites open to an administrative takeover. A report from Wordfence alerted users about this issue.

Vulnerability

What Happened?

The flaw allows hackers to bypass two-factor authentication (2FA). This is a big deal because it lets them remotely gain access to any account on a site, even those with admin privileges.

Wordfence described the threat as one of the more severe vulnerability they’ve found. The flaw carries a CVSS score of 9.8, which is considered “critical.” Versions of the Really Simple Security Pro and Pro Multisite plug-ins between 9.0.0 and 9.1.1.1 were affected.

How Does the Flaw Work?

The issue is with the plug-in’s two-factor REST API actions. According to Wordfence researcher Istvan Marton, the function responsible for checking logins and user access was flawed. If attacked, this flaw allows hackers to gain site control automatically.

Here’s the gist: the plug-in does not properly handle errors during authentication. This error means anyone could gain access, even when 2FA is enabled. The flaw could be fed into a script, enabling hackers to attack multiple WordPress sites simultaneously.

Here’s a breakdown:

Feature What Went Wrong
2FA The function check_login_and_get_user wasn’t checking users right
REST API Failed to handle failed responses, allowing hackers to exploit it
Automation The vulnerability can be used in automated attacks targeting many sites.

The Fix

Wordfence acted fast when they discovered the flaw earlier this month. They informed the plug-in’s vendor, Really Simple Security, immediately. A patched version (9.1.2) was released on Nov. 12 to address the problem. To prevent users from being at risk, Wordfence and the vendors’ force-updated sites still using the outdated plug-in on Nov. 14.

According to Wordfence, any site running the vulnerable version needs to install the new version.

However, there’s a catch. Not everyone gets automatic updates. If a site doesn’t have a valid license, automatic updates don’t work, leaving those users at greater risk. Wordfence is advising all administrators to check if the patch has been applied.

A Simple Feature Gone Wrong

The flaw arose after the latest major revision of Really Simple Security. The plug-in was once only known as Really Simple SSL. But, with the revamp, new security features like 2FA and vulnerability detection were added. Unfortunately, the introduction of the 2FA feature was where things went south.

The issue lies with the function skip_onboarding() that was meant to authenticate the user. When there’s an error, this function continues to process incomplete requests. This means the system failed to stop the process when authentication failed, leading to access being granted without proper verification.

What Now?

Though the plug-in has been patched, Wordfence urges all users to stay on alert. Due to the popularity of the WordPress platform and its plug-ins, hackers often target single plug-ins with large user bases. This gives attackers a wide range of targets for mass attacks.

WordPress plug-ins are common entry points for hackers, and keeping these plug-ins updated is one of the best ways to prevent breaches.

“We’re advising any users of this plug-in to review their site’s security and ensure the update got applied automatically,” Marton said.

Spread the Word

Even though Wordfence and the Really Simple Security team quickly acted, websites need maximum patch coverage to avoid being exploited.

Wordfence recommends people who know others using this plug-in spread the word about the flaw. This will ensure the highest patch compliance possible.

“If you know someone who runs this plug-in on their site, forward this advisory to them. It’s crucial to update,” added Marton.