According to Wordfence , the vulnerability assigned the identifier CVE-2024-10924 with a severity level of up to 9.8 on the CVSS scale (maximum is 10) is located in the Really Simple Security extension (plugin) in all three free and paid versions from 9.0.0 to 9.1.1.1. The Really Simple Security extension, formerly Really Simple SSL, is very popular with more than 4 million WordPress websites installing and using it.
Really Simple Security is a lightweight and easy-to-use security plugin that helps secure WordPress websites by generating SSL certificates, enforcing redirects to secure https connections, scanning for possible vulnerabilities, protecting logins... The paid version is sold for $49/year with features such as firewall, protecting visitors from malicious agents...
Famous WordPress security plugin just got a very serious security flaw
Wordfence describes a vulnerability CVE-2024-10924 that allows hackers to bypass authentication and gain access to accounts including administrators when the "Two-Factor Authentication" feature is enabled. The danger lies in the fact that the vulnerability can be exploited on a large scale due to the ability to automate attacks.
Wordfence has rolled out firewall protection since November 6, 2024 for paid users and will expand to free users on December 6, 2024. WordPress websites using the Really Simple Security plugin should update to version 9.1.2 as soon as possible, hosting providers should also automatically update the plugin for customers and scan their hosting systems for vulnerable versions.
Source: https://thanhnien.vn/lo-hong-bao-mat-anh-huong-4-trieu-website-wordpress-185241116130652154.htm
Comment (0)