Key Takeaways
- A popular WordPress security plugin called Really Simple Security has a major flaw that allows attackers to bypass authentication.
- With a threat score of 9.8/10, this flaw allows attackers to enter a site as administrators, with full access to make any changes they want.
- The flaw is yet to be fixed but another WordPress security plugin called Wordfence has been blocking as many attacks as it can.
A newly discovered vulnerability in a popular WordPress security plugin has put over 4 million websites at risk.
The plugin is called Really Simple Security which was initially launched as Really Simple SSL in 2015. Its initial purpose was simple – it would allow you to Migrate your WordPress site to HTTPS/SSL.
Later, it was developed into a full-fledged security solution that protected websites against external attacks, offered two-factor authentication, detected flaws, and generated SSL certificates.
The reason why this plugin was so popular among website owners is because it was lightweight. You could choose which security functions you wanted for your site and the rest would be disabled in a way that they won’t even load and slow your website.
And so far, it has had amazing reviews as well. More than 97% of the reviews in the WordPress repository are five stars and only 1% of the reviews are rated 1 star.
About the Flaw: What Went Wrong?
After offering such flawless performance during the year, the plugin was hit by a major flaw that is affecting all its versions from 9.0.0 to 9.1.1.1.
This flaw allows any user to log in as an administrator and get full access to the site including site-level permissions. All that the attacker has to do is have the username of the particular user they are trying to log in as.
This kind of flaw is called an Unauthenticated Access Vulnerability – one of the most severe kinds of vulnerability that has been assigned a threat score of 9.8 out of 10.
If an attacker successfully manages to compromise a site, the consequences can be huge. They might inject malware into it and attack all the users that come in contact or steal user data and spread harmful content.
Wordfence, another security plugin for WordPress has also addressed the issue. Explaining the reason behind this vulnerability, it said that it’s likely caused by “improper user check error handling in the two-factor REST API actions with the ‘check_login_and_get_user’ function.”
In the meantime, the plugin has also blocked 310 such attacks in the last 24 hours and has urged users of Really Simple Security to update to the 9.1.2 version or higher.
Add Techreport to Your Google News Feed
Get the latest updates, trends, and insights delivered straight to your fingertips. Subscribe now!
The Tech Report editorial policy is centered on providing helpful, accurate content that offers real value to our readers. We only work with experienced writers who have specific knowledge in the topics they cover, including latest developments in technology, online privacy, cryptocurrencies, software, and more. Our editorial policy ensures that each topic is researched and curated by our in-house editors. We maintain rigorous journalistic standards, and every article is 100% written by real authors.