A vital authentication bypass vulnerability has been found impacting the WordPress plugin ‘Actually Easy Safety’ (previously ‘Actually Easy SSL’), together with each free and Professional variations.
Actually Easy Safety is a safety plugin for the WordPress platform, providing SSL configuration, login safety, a two-factor authentication layer, and real-time vulnerability detection. Its free model alone is utilized in over 4 million web sites.
Wordfence, which publicly disclosed the flaw, calls it some of the extreme vulnerabilities reported in its 12-year historical past, warning that it permits distant attackers to realize full administrative entry to impacted websites.
To make issues worse, the flaw might be exploited en masse utilizing automated scripts, doubtlessly resulting in large-scale web site takeover campaigns.
Such is the chance that Wordfence proposes that internet hosting suppliers force-update the plugin on buyer websites and scan their databases to make sure no person runs a weak model.
2FA resulting in weaker safety
The vital severity flaw in query is CVE-2024-10924, found by Wordfence’s researcher István Márton on November 6, 2024.
It’s brought on by improper dealing with of consumer authentication within the plugin’s two-factor REST API actions, enabling unauthorized entry to any consumer account, together with directors.
Particularly, the issue lies within the ‘check_login_and_get_user()’ operate that verifies consumer identities by checking the ‘user_id’ and ‘login_nonce’ parameters.
When ‘login_nonce’ is invalid, the request is not rejected, because it ought to, however as a substitute invokes ‘authenticate_and_redirect(),’ which authenticates the consumer primarily based on the ‘user_id’ alone, successfully permitting authentication bypass.
The flaw is exploitable when two-factor authentication (2FA) is enabled, and although it is disabled by default, many directors will enable it for stronger account safety.
CVE-2024-10924 impacts plugin variations from 9.0.0 and as much as 9.1.1.1 of the “free,” “Professional,” and “Professional Multisite” releases.
The developer addressed the flaw by making certain that the code now appropriately handles ‘login_nonce’ verification fails, exiting the ‘check_login_and_get_user()’ operate instantly.
The fixes had been utilized to model 9.1.2 of the plugin, launched on November 12 for the Professional model and November 14 without cost customers.
The seller coordinated with WordPress.org to carry out pressure safety updates on customers of the plugin, however web site directors nonetheless have to verify and guarantee they’re operating the most recent model (9.1.2).
Customers of the Professional model have their auto-updates disabled when the license expires, so they need to manually replace 9.1.2.
As of yesterday, the WordPress.org stats web site, which screens installs of the free model of the plugin, confirmed roughly 450,000 downloads, leaving 3,500,000 websites doubtlessly uncovered to the flaw.