A essential authentication bypass vulnerability has been found impacting the WordPress plugin ‘Actually Easy Safety’ (previously ‘Actually Easy SSL’), together with each free and Professional variations.
Actually Easy Safety is a security plugin for the WordPress platform, providing SSL configuration, login safety, a two-factor authentication layer, and real-time vulnerability detection. Its free model alone is utilized in over 4 million web sites.
Wordfence, which publicly disclosed the flaw, calls it probably the most extreme vulnerabilities reported in its 12-year historical past, warning that it permits distant attackers to achieve full administrative entry to impacted websites.
To make issues worse, the flaw will be exploited en masse utilizing automated scripts, probably resulting in large-scale web site takeover campaigns.
Such is the danger that Wordfence proposes that internet hosting suppliers force-update the plugin on buyer websites and scan their databases to make sure no one runs a susceptible model.
2FA resulting in weaker security
The essential severity flaw in query is CVE-2024-10924, found by Wordfence’s researcher István Márton on November 6, 2024.
It’s attributable to improper dealing with of person authentication within the plugin’s two-factor REST API actions, enabling unauthorized entry to any person account, together with directors.
Particularly, the issue lies within the ‘check_login_and_get_user()’ operate that verifies person identities by checking the ‘user_id’ and ‘login_nonce’ parameters.
When ‘login_nonce’ is invalid, the request is not rejected, because it ought to, however as an alternative invokes ‘authenticate_and_redirect(),’ which authenticates the person based mostly on the ‘user_id’ alone, successfully permitting authentication bypass.
The flaw is exploitable when two-factor authentication (2FA) is enabled, and despite the fact that it is disabled by default, many directors will enable it for stronger account security.
CVE-2024-10924 impacts plugin variations from 9.0.0 and as much as 9.1.1.1 of the “free,” “Professional,” and “Professional Multisite” releases.
The developer addressed the flaw by guaranteeing that the code now appropriately handles ‘login_nonce’ verification fails, exiting the ‘check_login_and_get_user()’ operate instantly.
The fixes had been utilized to model 9.1.2 of the plugin, launched on November 12 for the Professional model and November 14 without cost customers.
The seller coordinated with WordPress.org to carry out drive security updates on customers of the plugin, however web site directors nonetheless must verify and guarantee they’re working the newest model (9.1.2).
Customers of the Professional model have their auto-updates disabled when the license expires, so they have to manually replace 9.1.2.
As of yesterday, the WordPress.org stats web site, which screens installs of the free model of the plugin, confirmed roughly 450,000 downloads, leaving 3,500,000 websites probably uncovered to the flaw.
