A essential vulnerability has been found within the common “Actually Easy Safety” WordPress plugin, previously often called “Actually Easy SSL,” placing over 4 million web sites in danger.
The flaw, recognized as CVE-2024-10924, exposes web sites utilizing the plugin to potential distant assaults, enabling risk actors to achieve unauthorized administrative entry.
Vulnerability Overview
The vulnerability impacts variations 9.0.0 by means of 9.1.1.1 of the Easy Safety plugin, together with the Professional and Professional Multisite variations.
Exploiting an authentication bypass flaw, attackers can remotely entry any person account, together with administrator accounts, if the “Two-Issue Authentication” function is enabled.
Free Final Steady Safety Monitoring Information - Obtain Right here (PDF)
The flaw stems from improper dealing with of person verification within the plugin’s two-factor REST API features.
This safety challenge is especially regarding as a result of its excessive CVSS rating of 9.8, classifying it as “Essential.”
The vulnerability permits attackers to achieve entry to privileged accounts and take full management of affected web sites.
A big-scale automated assault exploiting this flaw may probably goal thousands and thousands of WordPress websites globally.
Upon figuring out the problem on November 6, 2024, Wordfence Menace Intelligence started working carefully with the plugin’s vendor to handle the vulnerability.
The developer responded promptly, and a patched model of the plugin (9.1.2) was launched on November 14, 2024.
The WordPress.org plugins workforce additionally initiated a compelled replace to make sure that most websites utilizing the plugin are robotically up to date to the safe model.
Nevertheless, website homeowners are strongly suggested to manually confirm that their plugins are up to date to model 9.1.2 or larger. Web sites working older variations stay susceptible to potential assaults.
With over 4 million web sites nonetheless counting on this important plugin, website directors are urged to verify their WordPress installations and apply the replace instantly.
Moreover, customers of the Professional and Professional Multisite variations with out auto-update enabled ought to manually set up the most recent patch to safe their websites.
Analyze Limitless Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.