A critical authentication bypass vulnerability has been disclosed in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress that, if successfully exploited, could grant an attacker to remotely gain full administrative access to a susceptible site.
The vulnerability, tracked as CVE-2024–10924 (CVSS score: 9.8), impacts both free and premium versions of the plugin. The software is installed on over 4 million WordPress sites.
“The vulnerability is scriptable, meaning that it can be turned into a large-scale automated attack, targeting WordPress websites,” Wordfence security researcher István Márton said.
Leave a reply