WordPress Plugin Vulnerability Threatens 4 Million Websites

A widely deployed five-in-one security plugin for WordPress websites contained a flaw that hackers could automate into a large-scale takeover campaign.

See Also: Stop Them: Combating Identity Attacks on Your Health System

WordPress safety agency Wordfence called the flaw, tracked as CVE-2024-10924, “one of many extra critical vulnerabilities that we have now reported on in our 12 12 months historical past.”

The important authentication bypass vulnerability takes benefit of a now-patched flaw within the Actually Easy Safety plugin, lively throughout greater than 4 million web sites. WordPress.org started forced updates on Thursday. “We urge customers to confirm that their websites had been up to date to the most recent patched model of Actually Easy Safety, model 9.1.2,” Wordfence researchers wrote. The flaw impacts free, Professional and Professional Multisite editions.

The flaw stems from improper dealing with of consumer verification throughout two-factor authentication processes by way of the REST API, which is a protocol for programs to speak over the online. Solely plugins that allow two-factor authentication for login are affected by the flaw, and the setting is disabled by default. Actually Easy Safety comprises features for managing web site certificates, vulnerability detection, login safety and WordPress hardening.

Particularly, the error is in how the plugin returned an error message within the case of a two issue authentication failure. Previous to the patch, the plugin didn’t deal with the error message inside the perform, that means that even within the case of an invalid response, a hacker might proceed logging on. “Even within the case of an invalid nonce, the perform processing continues and invokes authenticate_and_redirect(), which authenticates the consumer based mostly on the consumer id handed within the request, even when that consumer’s identification hasn’t been verified,” Wordfence wrote.

WordFence researchers disclosed the vulnerability to the developer group on Nov. 6. The falw, which has a 9.8 ranking on the ten-point CVSS scale, is scriptable, “that means that it may be was a big scale automated assault.”