A essential authentication bypass vulnerability has been disclosed within the Actually Easy Safety (previously Actually Easy SSL) plugin for WordPress that, if efficiently exploited, may grant an attacker to remotely achieve full administrative entry to a prone website.
The vulnerability, tracked as CVE-2024-10924 (CVSS rating: 9.8), impacts each free and premium variations of the plugin. The software program is put in on over 4 million WordPress websites.
“The vulnerability is scriptable, that means that it may be became a large-scale automated assault, focusing on WordPress web sites,” Wordfence safety researcher István Márton mentioned.
Following accountable disclosure on November 6, 2024, the shortcoming has been patched in model 9.1.2 launched every week later. This threat of potential abuse has prompted the plugin maintainers to work with WordPress to force-update all websites operating this plugin previous to public disclosure.
In line with Wordfence, the authentication bypass vulnerability, present in variations 9.0.0 to 9.1.1.1, arises from improper person examine error dealing with in a perform known as “check_login_and_get_user,” thereby permitting unauthenticated attackers to login as arbitrary customers, together with directors, when two-factor authentication is enabled.
“Sadly, one of many options including two-factor authentication was insecurely carried out making it potential for unauthenticated attackers to realize entry to any person account, together with an administrator account, with a easy request when two-factor authentication is enabled,” Márton mentioned.
Profitable exploitation of the vulnerability may have critical penalties, because it may allow malicious actors to hijack WordPress websites and additional use them for felony functions.
The disclosure comes days after Wordfence revealed one other essential shortcoming within the WPLMS Studying Administration System for WordPress, WordPress LMS (CVE-2024-10470, CVSS rating: 9.8) that might allow unauthenticated risk actors to learn and delete arbitrary recordsdata, probably leading to code execution.
Particularly, the theme, previous to model 4.963, is “weak to arbitrary file learn and deletion as a consequence of inadequate file path validation and permissions checks,” permitting unauthenticated attackers to delete arbitrary recordsdata on the server.
“This makes it potential for unauthenticated attackers to learn and delete any arbitrary file on the server, together with the positioning’s wp-config.php file,” it mentioned. “Deleting wp-config.php forces the positioning right into a setup state, permitting an attacker to provoke a website takeover by connecting it to a database beneath their management.”
