A important authentication bypass vulnerability has been disclosed within the Actually Easy Safety (previously Actually Easy SSL) plugin for WordPress that, if efficiently exploited, might grant an attacker to remotely acquire full administrative entry to a prone web site.
The vulnerability, tracked as CVE-2024-10924 (CVSS rating: 9.8), impacts each free and premium variations of the plugin. The software program is put in on over 4 million WordPress websites.
“The vulnerability is scriptable, which means that it may be was a large-scale automated assault, focusing on WordPress web sites,” Wordfence security researcher István Márton stated.
Following accountable disclosure on November 6, 2024, the shortcoming has been patched in model 9.1.2 launched per week later. This danger of potential abuse has prompted the plugin maintainers to work with WordPress to force-update all websites operating this plugin previous to public disclosure.
In accordance with Wordfence, the authentication bypass vulnerability, present in variations 9.0.0 to 9.1.1.1, arises from improper consumer verify error dealing with in a operate known as “check_login_and_get_user,” thereby permitting unauthenticated attackers to login as arbitrary customers, together with directors, when two-factor authentication is enabled.
“Sadly, one of many options including two-factor authentication was insecurely applied making it potential for unauthenticated attackers to achieve entry to any consumer account, together with an administrator account, with a easy request when two-factor authentication is enabled,” Márton stated.
Profitable exploitation of the vulnerability might have critical penalties, because it might allow malicious actors to hijack WordPress websites and additional use them for legal functions.
The disclosure comes days after Wordfence revealed one other important shortcoming within the WPLMS Studying Administration System for WordPress, WordPress LMS (CVE-2024-10470, CVSS rating: 9.8) that would allow unauthenticated risk actors to learn and delete arbitrary information, probably leading to code execution.
Particularly, the theme, previous to model 4.963, is “weak to arbitrary file learn and deletion resulting from inadequate file path validation and permissions checks,” permitting unauthenticated attackers to delete arbitrary information on the server.
“This makes it potential for unauthenticated attackers to learn and delete any arbitrary file on the server, together with the location’s wp-config.php file,” it stated. “Deleting wp-config.php forces the location right into a setup state, permitting an attacker to provoke a web site takeover by connecting it to a database underneath their management.”
