Understanding the Recent ‘Really Simple Security’ Plugin Vulnerability

Plugins are a huge part of what powers the WordPress ecosystem. However, these plugins can also act as entry points for hackers, allowing them to access the rest of a WordPress website. In an unfortunate example of irony, one WordPress plugin that was designed to strengthen security ended up leaving millions of WordPress websites vulnerable to attack.

Installed on over 4 million websites, the "Really Simple Security" plugin, formerly named “Really Simple SSL,” is one of the most popular plugins on the market. But recently, this plugin was discovered to have a vulnerability that gives hackers easy access to the sites it's installed on. In fact, the plugin was given a vulnerability score of 9.8 by the Common Vulnerability Scoring System (CVSS), classifying it as a critical vulnerability.

Whether you use this plugin or you're just concerned about staying informed and keeping your site secured, here is all the important information you should know about the “Really Simple Security" plugin vulnerability.

Discovery and initial disclosure

Cybersecurity researchers are constantly searching for vulnerabilities in all types of software in the hope that they can discover vulnerabilities before they are discovered and exploited by malicious actors. This is how the "Really Simple Security" plugin vulnerability was discovered, and actions were quickly taken following its discovery to patch the issue and mitigate the damage.

Identification

The vulnerability in the "Really Simple Security" plugin was first identified on November 6th, 2024. Following this discovery, the vendor who provides the "Really Simple Security" plugin was immediately notified, and the issue was assigned CVE ID: CVE-2024-10924. A CVE (Common Vulnerabilities and Exposures) serves as a unique identifier to track and reference vulnerabilities worldwide, and it helps enable a quick and standardized response.

Technical details

The root cause of the "Really Simple Security" plugin vulnerability has to do with how the plugin handles WP_REST_Response errors within the check_login_and_get_user function. This flaw allows hackers to leverage the user_id parameter to gain administrative access to affected websites. By using the vulnerability to bypass security controls and gain admin-level access, hackers could perform a range of actions on the affected sites, including installing malicious code and accessing sensitive data.

It's worth noting that the plugin's vulnerability is only exploitable when two-factor authentication (2FA) is enabled, and this feature is disabled by default. However, many website owners using the plugin decided to enable 2FA, thinking they were strengthening their site's security without ever realizing they were enabling a critical vulnerability.

Vulnerability scope

One of the most concerning things about the "Really Simple Security" plugin vulnerability was the scope of the issue and the number of websites affected. The vulnerability affects plugin versions 9.0.0 to 9.1.1.1 across all editions, including Free, Pro, and Pro Multisite. Thanks to its scriptable nature, the vulnerability also allowed hackers to automate their exploits, giving them the ability to attack large numbers of unpatched installations at a time. And since the "Really Simple Security" plugin is used by an estimated 4 million WordPress websites, there was no shortage of targets for hackers to choose from.

The impact of the vulnerability

The potential impact of a vulnerability is always determined by two main factors: its scope and the potential damage that can be caused if it's exploited. In both cases, the "Really Simple Security" plugin vulnerability was a major cause for alarm, which is why it received such a high CVSS score.

Here's a closer look at both the potential consequences and the number of sites at risk to better underscore why the "Really Simple Security" plugin vulnerability was an especially concerning problem:

Potential consequences

Some of the most dangerous vulnerabilities are those that allow hackers to gain admin-level access to a website, and this is exactly what the "Really Simple Security" plugin vulnerability does. By gaining full administrative access to affected websites, hackers are able to perform a range of damaging actions. This includes things like executing site takeovers, stealing sensitive data, installing malicious software such as malware or ransomware, and altering content on the site.

Consequences like this aren't exclusive to the "Really Simple Security" plugin vulnerability, and there are many types of vulnerabilities that can inadvertently give hackers admin-level access. That's why it's essential for website owners to fix WordPress vulnerabilities as quickly as possible.

Sites at risk

As we mentioned earlier, the "Really Simple Security" plugin was installed on over 4 million WordPress websites. As of November 16, 2024, approximately 3.5 million sites remained unpatched. While this number could have gone down in the time since the data was reported, the large number of websites that remain unpatched highlights the urgent need for website owners to take action and ensure that all the plugins on their websites are updated and patched.

Developer response and resolution

After learning about the vulnerability, the developers behind the "Really Simple Security" plugin quickly took action. Here's a timeline of their response and the actions that they took:

Vendor response timeline

• November 6, 2024: Vulnerability identified and vendor notified.

• November 7, 2024: Vendor acknowledges the report and begins patching.

• November 12, 2024: Patched version 9.1.2 released for Pro editions.

• November 14, 2024: Patched version 9.1.2 for Free editions released; forced updates initiated.

Actions taken by the vendor

To ensure that as many affected websites as possible would receive the patch, developers collaborated with WordPress.org to push forced updates for all vulnerable installations. As for how the vulnerability was patched, developers fixed the way the plugin handles error handling for login_nonce failures, eliminating the exploit vector. Along with these actions, the vendor worked to provide guidance on how affected users should go about securing their websites.

Recommendations for affected users

If the "Really Simple Security" plugin is installed on your WordPress website, it's important to take immediate action to fix the vulnerability. Additionally, there are long-term measures you can take to help ensure your website isn't left vulnerable again in the future.

Immediate actions

The first thing you should do if the "Really Simple Security" plugin is installed on your site is immediately update to version 9.1.2 or newer. Using an outdated plugin is never a good idea, but it's especially risky for plugins with known vulnerabilities.

Next, make sure that auto-updates are functioning correctly so that any subsequent updates will be installed automatically. This is particularly important for Pro users with expired licenses since license expiration often disables automatic updates.

Once you've taken these steps to secure your site, you'll want to scan the site for malware or any other unauthorized changes to ensure that hackers haven't already exploited the vulnerability and compromised your website.

Long-term security measures

There are numerous long-term measures that WordPress website owners can take to prevent vulnerabilities like the "Really Simple Security" plugin from leaving their sites exposed. One of the most effective things you can do to bolster your site's security is to use a WordPress security service like SiteLock. These services automatically scan for vulnerabilities on your website so that they can be identified and fixed before hackers find them first.

Monitoring activity logs is another effective security practice, as this will help you detect any unusual behavior on your website. While it may seem like a simple step, changing all administrative and FTP passwords (and making sure you use strong ones) is also a vital part of WordPress security.

Firewalls and two-factor authentication are two additional measures you can use to harden WordPress security. Firewalls filter traffic on your website and automatically block any traffic that's deemed suspicious. And while having 2FA enabled may have been what made the "Really Simple Security" plugin vulnerability possible, this is a coincidental occurrence and shouldn't discourage you from using this security feature, as it adds a strong extra layer of protection to your passwords.

Lessons for plugin developers and website owners

Perhaps the biggest lesson that plugin developers can learn from the "Really Simple Security" plugin vulnerability is the importance of secure coding practices. With more rigorous testing by the developers of the "Really Simple Security" plugin, the vulnerability likely could have been discovered much earlier. Improper error handling, in particular, is a key issue for developers to test for since it's an issue that can lead to especially severe vulnerabilities such as the "Really Simple Security" plugin vulnerability.

For website owners, meanwhile, the "Really Simple Security" plugin vulnerability highlights the importance of prompt updates and strong WordPress security measures. By taking a proactive approach to securing your WordPress site, you can ensure that you aren't blindsided by vulnerabilities such as this.

Protect your WordPress site from unexpected plugin exploits with SiteLock

Due to its scope and potential impact, the "Really Simple Security" plugin vulnerability is one that sent shockwaves through the WordPress community. Thankfully, the issue was quickly discovered, and a patch was released. However, many WordPress websites still remain unpatched and vulnerable.

If you would like to protect your WordPress website against this and other vulnerabilities, SiteLock can help. With our advanced WordPress security and WordPress malware removal packages, you can ensure that your site is fully protected rather than being an easy target for hackers.

Image by vectorjuice on Freepik