A important authentication bypass vulnerability has been disclosed within the Actually Easy Safety (previously Actually Easy SSL) plugin for WordPress that, if efficiently exploited, may grant an attacker to remotely achieve full administrative entry to a inclined website.
The vulnerability, tracked as CVE-2024-10924 (CVSS rating: 9.8), impacts each free and premium variations of the plugin. The software program is put in on over 4 million WordPress websites.
“The vulnerability is scriptable, which means that it may be changed into a large-scale automated assault, focusing on WordPress web sites,” Wordfence safety researcher István Márton mentioned.
Following accountable disclosure on November 6, 2024, the shortcoming has been patched in model 9.1.2 launched every week later. This threat of doable abuse has prompted the plugin maintainers to work with WordPress to force-update all websites working this plugin previous to public disclosure.
In response to Wordfence, the authentication bypass vulnerability, present in variations 9.0.0 to 9.1.1.1, arises from improper person verify error dealing with in a perform referred to as “check_login_and_get_user,” thereby permitting unauthenticated attackers to login as arbitrary customers, together with directors, when two-factor authentication is enabled.
“Sadly, one of many options including two-factor authentication was insecurely carried out making it doable for unauthenticated attackers to achieve entry to any person account, together with an administrator account, with a easy request when two-factor authentication is enabled,” Márton mentioned.
Profitable exploitation of the vulnerability may have severe penalties, because it may allow malicious actors to hijack WordPress websites and additional use them for prison functions.
The disclosure comes days after Wordfence revealed one other important shortcoming within the WPLMS Studying Administration System for WordPress, WordPress LMS (CVE-2024-10470, CVSS rating: 9.8) that might allow unauthenticated risk actors to learn and delete arbitrary information, probably leading to code execution.
Particularly, the theme, previous to model 4.963, is “weak to arbitrary file learn and deletion attributable to inadequate file path validation and permissions checks,” permitting unauthenticated attackers to delete arbitrary information on the server.
“This makes it doable for unauthenticated attackers to learn and delete any arbitrary file on the server, together with the positioning’s wp-config.php file,” it mentioned. “Deleting wp-config.php forces the positioning right into a setup state, permitting an attacker to provoke a website takeover by connecting it to a database beneath their management.”