A WordPress plug-in installed on over 4 million websites has been identified as exposing these sites to full administrative takeover through a scripting flaw that could potentially lead to large-scale automated attacks targeting multiple sites.
The authentication bypass flaw was discovered earlier this month by researchers from Wordfence in a plug-in from Really Simple Security designed to provide security features for WordPress sites. The flaw, which has been rated with a critical CVSS score of 9.8, impacts the Really Simple Security Pro and Pro Multisite plug-ins in versions 9.0.0 to 9.1.1.1.
According to a recent blog post by Wordfence security researcher Istvan Marton, the flaw enables attackers to remotely access any account on the site, including the administrator account, when the two-factor authentication (2FA) feature is enabled. The flaw stems from improper handling of user check errors in the two-factor REST API actions with the “check_login_and_get_user” function, making it scriptable and potentially exploitable against multiple WordPress sites simultaneously in an automated fashion.
Recognizing the severity of the vulnerability, Wordfence promptly collaborated with the Really Simple Security team upon discovering the flaw on Nov. 6 to address it. A patched update, version 9.1.2, was released to the public on Nov. 12 following the immediate disclosure of the flaw to the vendor. Additionally, at Wordfence’s recommendation, Really Simple Security initiated force updates for all sites utilizing the plug-in two days later to ensure mitigation of the vulnerability.
Despite these mitigation efforts, Wordfence advises administrators with sites using the plug-in to verify that they have been automatically updated to the patched version, as sites without valid licenses may not have functioning auto-update capabilities, as mentioned by Marton in the post.
The Really Simple Security plug-in, previously known as Really Simple SSL, underwent a major version update that introduced new security features like login protection, vulnerability detection, and 2FA. However, during this update, the implementation of 2FA was found to be insecure, leading to the introduction of the vulnerability that permits attackers to exploit a simple request to gain access to user accounts with 2FA enabled.
Specifically, the flaw stems from the skip_onboarding() function in the Rsssl_Two_Factor_On_Board_Api class used to handle REST API authentication, which fails to address WP_REST_Response errors in case of failure. This oversight allows for the continuation of the function processing even in the event of an invalid nonce, resulting in the unauthorized authentication of users based on the provided user id.
This vulnerability enables threat actors to bypass authentication mechanisms and gain unauthorized access to accounts on sites running vulnerable versions of the plug-in, allowing for potential complete compromise of WordPress sites and further exploitation, as detailed by Marton.
Given WordPress’s widespread usage as a platform for millions of websites, including popular threat targets like plug-ins, the platform remains a prime target for threat actors seeking to exploit vulnerabilities for attacks. Attackers are especially inclined to target singular plug-ins with large install bases, making flaws like those present in Really Simple Security’s plug-in an appealing prospect.
Although most sites using the plug-in should have been updated following the release of the patched version, Wordfence still recommends users to actively communicate the patch advisory to ensure comprehensive coverage against the critical vulnerability. Marton emphasizes the importance of sharing the advisory with others utilizing the plug-ins to safeguard their sites against the significant risks posed by the vulnerability.
In conclusion, the discovery of the flaw in Really Simple Security’s plug-in underscores the ongoing importance of frequent security updates and proactive communication within the WordPress community to mitigate vulnerabilities and enhance the platform’s overall security posture.