A critical vulnerability was discovered in a popular WordPress security plugin with over 4 million installations. The flaw allows attackers to log in as any user, including administrators, and gain full access to their site-level permissions. Assigned a threat score of 9.8 out of 10, it underscores the ease of exploitation and the potential for full site compromise, including malware injection, unauthorized content changes, and attacks on site visitors.
Really Simple Security
Really Simple Security is a WordPress plugin that was developed to improve resistance of WordPress sites against exploits (called security hardening), enable two-factor authentication, detect vulnerabilities and it also generates an SSL certificate. One of the reasons it promotes itself as lightweight is because it’s designed as a modular software that allows users to choose what security enhancements to enable so that (in theory) the processes for disabled capabilities don’t load and slow down the website. It’s a popular trend in WordPress plugins that allows a software to do many things but only do the tasks that a user requires.
The plugin is promoted through affiliate reviews and according to Google AI Overview enjoys highly positive reviews. Over 97% of reviews on the official WordPress repository are rated with five stars, the highest possible rating, with less than 1% rating the plugin as 1 star.
What Went Wrong?
A security flaw in the plugin makes it vulnerable to authentication bypass, which is a flaw that allows an attacker to access areas of a website that require a username and a password without having to provide credentials. The vulnerability specific to Really Simple Security allows an attacker to acquire access of any registered user of the website, including the administrator, simply by knowing the user name.
This is called an Unauthenticated Access Vulnerability, one of most severe kinds of flaws because it is generally easier to exploit than an “authenticated” flaw which requires an attacker to first attain the user name and password of a registered user.
Wordfence explains the exact reason for the vulnerability:
“The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the ‘check_login_and_get_user’ function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the “Two-Factor Authentication” setting is enabled (disabled by default).
Wordfence blocked 310 attacks targeting this vulnerability in the past 24 hours.”