{"id":6281,"date":"2024-11-18T14:14:15","date_gmt":"2024-11-18T20:14:15","guid":{"rendered":"https:\/\/www.darkreading.com\/cloud-security\/critical-wordpress-plugin-flaw-4m-sites-takeover"},"modified":"2024-11-18T14:14:15","modified_gmt":"2024-11-18T20:14:15","slug":"critical-wordpress-plug-in-flaw-exposes-4m-sites-to-takeover","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/11\/18\/critical-wordpress-plug-in-flaw-exposes-4m-sites-to-takeover\/","title":{"rendered":"Critical WordPress Plug-in Flaw Exposes 4M Sites to Takeover"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

A <\/span>WordPress plug-in<\/a><\/span> installed on more than 4 million websites exposes them to full administrative takeover through a scripting flaw that potentially can be used to launch large-scale automated attacks against multiple sites.<\/span><\/p>\n

Researchers from Wordfence called the authentication bypass flaw “one of the more serious vulnerabilities” that they have ever identified, <\/span>uncovering it<\/a><\/span> earlier this month in <\/span>a plug-in<\/a><\/span> from Really Simple Security that provides WordPress security features for sites, according to a recent blog post. The flaw, rated with a critical CVSS score of 9.8, affects the Really Simple Security Pro and Pro Multisite plug-ins, versions 9.0.0 to 9.1.1.1.<\/span><\/p>\n

“The vulnerability makes it possible for an attacker to remotely gain access to any account on the site, including the administrator account, when the two-factor authentication (2FA) feature is enabled,” Wordfence security researcher Istvan Marton wrote in the post.<\/span><\/p>\n

The flaw exists due to improper user check error handling in the two-factor REST API actions with the “check_login_and_get_user” function, according to Wordfence. Moreover, because the flaw is scriptable, it <\/span>can be weaponized<\/a><\/span> against numerous WordPress sites simultaneously in an automated way.<\/span><\/p>\n

Due to the critical nature of the bug, Wordfence acted quickly after discovering the flaw on Nov. 6 to work with the Really Simple Security team to mitigate it. After immediately disclosing the flaw to the vendor, a patched update, version 9.1.2, was released publicly on Nov. 12. Then, on Wordfence’s advice, Really Simple Security force-updated all sites running the plug-in two days later.<\/span><\/p>\n

Related:<\/span>DHS Releases Secure AI Framework for Critical Infrastructure<\/a><\/p>\n

Still, Wordfence recommended that any administrator with a site that uses the plug-in confirm that it has been automatically updated to the patched version, as “it appears that sites without a valid license may not have auto-updates functioning,” Marton noted in the post.<\/span><\/p>\n

New ‘Really Simple Security’ Feature Introduces Flaw<\/h2>\n

The Really Simple Security plug-in was formerly known as Really Simple SSL; it was renamed in its latest major version update, which also expanded the plug-in with security features such as log-in protection, vulnerability detection, and 2FA.<\/span><\/p>\n

During this revamp, one of the features adding 2FA “was insecurely implemented” to introduce the flaw, which allows an attacker to create a simple request to gain access to any user account with 2FA on.<\/span><\/p>\n

Specifically, the plug-in uses the skip_onboarding() function in the Rsssl_Two_Factor_On_Board_Api class to handle authentication via REST API that returns a WP_REST_Response error in case of a failure. However, this is not handled within the function, which “means that even in the case of an invalid nonce, the function processing continues and invokes authenticate_and_redirect(),” Marton wrote. This “authenticates the user based on the user id passed in the request, even when that user\u2019s identity hasn\u2019t been verified,” he wrote.<\/span><\/p>\n

Related:<\/span>Microsoft Pulls Exchange Patches Amid Mail Flow Issues<\/a><\/p>\n

Ultimately, this makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plug-in.<\/span><\/p>\n

“As always, authentication bypass vulnerabilities and resulting access to high privileged user accounts make it easy for threat actors to completely compromise a vulnerable WordPress site and further infect it,” Marton explained.<\/span><\/p>\n

Wordfence: Spread the Word, Check Your Plug-ins<\/h2>\n

Due to its widespread use as a foundation for millions of websites, the <\/span>WordPress platform<\/a><\/span> and its plug-ins especially are a notoriously <\/span>popular threat target<\/a><\/span> for threat actors, giving them easy access to a broad attack surface. Attackers particularly like to exploit <\/span>singular plug-ins<\/a><\/span> with large install bases, making flaws like the one found in Really Simple Security’s plug-in an attractive target.<\/span><\/p>\n

Related:<\/span>ChatGPT Exposes Its Instructions, Knowledge & OS Files<\/a><\/p>\n

Even though most sites using the plug-in should have been updated already, Wordfence still advises that users spread the word to ensure the broadest patch coverage possible due to the critical nature of the flaw.<\/span><\/p>\n

“If you know someone who uses these plugins on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk,” Marton wrote in the post.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

A WordPress plug-in installed on more than 4 million websites<\/p>\n","protected":false},"author":12,"featured_media":6282,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-6281","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/critical-wordpress-plug-in-flaw-exposes-4m-sites-to-takeover.png?fit=1920%2C1080&ssl=1",1920,1080,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/critical-wordpress-plug-in-flaw-exposes-4m-sites-to-takeover.png?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/critical-wordpress-plug-in-flaw-exposes-4m-sites-to-takeover.png?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/critical-wordpress-plug-in-flaw-exposes-4m-sites-to-takeover.png?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/critical-wordpress-plug-in-flaw-exposes-4m-sites-to-takeover.png?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/critical-wordpress-plug-in-flaw-exposes-4m-sites-to-takeover.png?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/critical-wordpress-plug-in-flaw-exposes-4m-sites-to-takeover.png?fit=1920%2C1080&ssl=1",1920,1080,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/critical-wordpress-plug-in-flaw-exposes-4m-sites-to-takeover.png?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/critical-wordpress-plug-in-flaw-exposes-4m-sites-to-takeover.png?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/critical-wordpress-plug-in-flaw-exposes-4m-sites-to-takeover.png?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/critical-wordpress-plug-in-flaw-exposes-4m-sites-to-takeover.png?fit=1920%2C1080&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6281","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6281"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6281\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/6282"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6281"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}