Millions of WordPress sites could be at risk from “one of the most serious” plugin flaws ever found

WordFence finds “one of the most severe flaws” in its 12-year history
The critical flaw resides in the Really Simple Security plugin
The bug allows for automated, mass website takeover

Cybersecurity researchers have found a critical vulnerability affecting millions of WordPress websites which could grant attackers full control over the vulnerable website.

Security professionals from Wordfence reported discovering an “improper handling of user authentication” vulnerability in the Really Simple Security WordPress plugin, both free and paid versions.

This plugin simplifies the process of securing websites by enabling SSL with a single click, and automatically resolving mixed content issues. Furthermore, it offers features such as security headers, and HTTP Strict Transport Security (HSTS), which made it a super popular choice. It currently has more than five million active installations.

Biggest threat in more than a decade

The vulnerability is being tracked as CVE-2024-10924, and has a severity score of 9.8 (critical), and Wordfence describes it as “one of the more serious vulnerabilities that we have reported on in our 12 year history as a security provider for WordPress.”

It was discovered on November 6, and by November 14, all versions had patches lined up. Versions 9.0.0 to 9.1.1.1 of the “free”, “Pro”, and “Pro Multisite” releases were said to be vulnerable, with the first clean version being 9.1.2.

Currently, the WordPress plugins site shows 44.1% of installations being for version 9.1, with the remaining 65.9% falling on older versions.

Given the severity of the flaw, and the sheer number of potentially exploitable websites, researchers are urging everyone to patch up immediately and protect their digital assets.

The plugin’s vendor has coordinated a force update with WordPress, but website administrators should still double-check to see if their websites are running the newest version of the plugin, and Pro users with expired licenses should ensure they have their auto-updates disabled as well.

You might also like

https://cdn.mos.cms.futurecdn.net/yDX5VaYZa9C9jFuEEHgxiD-1200-80.jpg

Source link

I cloned my voice with AI and even my wife can’t tell the difference

Fake AI video generators are being used to hack Windows and macOS devices

Equinix is closing its bare metal IaaS platform

5 of the best free movies to stream on Tubi, Pluto TV, Amazon Freevee, and more this week (November 18)

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

People are driving through flames to escape this California wildfire

New ‘Westworld’ trailer introduces us to another dystopian tech company

What’s the point of ‘Charlie’s Angels’ without Sam Rockwell dancing?

These striking photos capture the future of human flight

‘Heathers’ is still the best dark comedy about high school hell

Trump vs. Harris: How the election will affect EV adoption

Lumwana’s Super Pit Expansion Officially Launched By Investing.com

How Biden could use a 1947 law to suspend the dockworkers’ strike

Why your Roth IRA conversions could have ‘unintended’ tax consequences

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

Millions of WordPress sites could be at risk from “one of the most serious” plugin flaws ever found

I cloned my voice with AI and even my wife can’t tell the difference

Fake AI video generators are being used to hack Windows and macOS devices

Equinix is closing its bare metal IaaS platform

5 of the best free movies to stream on Tubi, Pluto TV, Amazon Freevee, and more this week (November 18)

Leave a reply Cancel reply