A critical flaw in Really Simple Security allows attackers to log in without a password when 2FA is enabled. The vulnerability is so easy to exploit that patching it should be a top priority.

The popular plugin Really simple security is vulnerable to an extremely critical error. This is what the security specialist Wordfence found out. Wordfence has been providing security for WordPress for twelve years and describes the vulnerability as the most serious one identified in that time. Around four million WordPress sites rely on Really Simple Security.

The impact of the error is significant. Due to a faulty line of code in the 2FA implementation, in certain cases the plugin only checks if a user exists. If the parameter ‘login_nonce’ If invalid is returned, the plugin will continue to authenticate a user using ID alone.

Ironically, the error occurs when users of the plugin have implemented 2FA and thus correctly implemented best practices for greater security. The bug in question is known as CVE-2024-10924 and affects versions 9.0.0 to 9.1.1.1 of both Free, professional And professional MultisiteExpenditure.

Automatic updates

Version 9.1.2 of the Really simple securityPlugin no longer contains the error. This update was released on November 12th for free version users and November 14th for Pro edition users. The developers worked with WordPress to force the update to roll out, and that will have worked in many cases, but certainly not all.

It is important to check for version 9.1.2 immediately Really simple security rotates. After all, the flaw is easily exploited by criminals who can even automate the process. Wordfence Premium, Care and Response have received a firewall rule that prevents misuse. It is available to paying users. Free Wordfence customers will also receive the firewall rule on December 6th, but it’s not a good idea to wait for it.

Is your website secured? Really simple security (earlier Really simple SSL)? Then immediately check whether version 9.1.2 is already installed.