A essential authentication bypass vulnerability has been found impacting the WordPress plugin ‘Actually Easy Safety’ (previously ‘Actually Easy SSL’), together with each free and Professional variations.
Actually Easy Safety is a safety plugin for the WordPress platform, providing SSL configuration, login safety, a two-factor authentication layer, and real-time vulnerability detection. Its free model alone is utilized in over 4 million web sites.
Wordfence, which publicly disclosed the flaw, calls it one of the crucial extreme vulnerabilities reported in its 12-year historical past, warning that it permits distant attackers to realize full administrative entry to impacted websites.
To make issues worse, the flaw will be exploited en masse utilizing automated scripts, doubtlessly resulting in large-scale web site takeover campaigns.
Such is the chance that Wordfence proposes that internet hosting suppliers force-update the plugin on buyer websites and scan their databases to make sure no one runs a weak model.
2FA resulting in weaker safety
The essential severity flaw in query is CVE-2024-10924, found by Wordfence’s researcher István Márton on November 6, 2024.
It’s attributable to improper dealing with of person authentication within the plugin’s two-factor REST API actions, enabling unauthorized entry to any person account, together with directors.
Particularly, the issue lies within the ‘check_login_and_get_user()’ operate that verifies person identities by checking the ‘user_id’ and ‘login_nonce’ parameters.
When ‘login_nonce’ is invalid, the request is not rejected, because it ought to, however as an alternative invokes ‘authenticate_and_redirect(),’ which authenticates the person primarily based on the ‘user_id’ alone, successfully permitting authentication bypass.
The flaw is exploitable when two-factor authentication (2FA) is enabled, and though it is disabled by default, many directors will enable it for stronger account safety.
CVE-2024-10924 impacts plugin variations from 9.0.0 and as much as 9.1.1.1 of the “free,” “Pro,” and “Pro Multisite” releases.
The developer addressed the flaw by guaranteeing that the code now accurately handles ‘login_nonce’ verification fails, exiting the ‘check_login_and_get_user()’ operate instantly.
The fixes have been utilized to model 9.1.2 of the plugin, launched on November 12 for the Professional model and November 14 without spending a dime customers.
The seller coordinated with WordPress.org to carry out drive safety updates on customers of the plugin, however web site directors nonetheless must test and guarantee they’re operating the most recent model (9.1.2).
Customers of the Professional model have their auto-updates disabled when the license expires, so they have to manually replace 9.1.2.
As of yesterday, the WordPress.org stats website, which displays installs of the free model of the plugin, confirmed roughly 450,000 downloads, leaving 3,500,000 websites doubtlessly uncovered to the flaw.
