Four million WordPress installations at risk due to vulnerability in Really Simple Security plugin

 
Four million WordPress installations at risk due to vulnerability in Really Simple Security plugin

At least 4,000,000 pages made with WordPress using the free or paid version of Really Simple Security(formerly Really Simple SSL) were affected by a critical authentication bypass vulnerability.

All the details are in this article by István Márton on the Wordfence blog.

The vulnerability, already fully fixed in version 9.1.2 of the plugin, was discovered by Wordfence, who say it is one of the most serious vulnerabilities they have reported in their 12-year history as a WordPress security provider. The vulnerability affects the Really Simple Security plugin, formerly known as Really Simple SSL, installed on more than 4 million pages and allows an attacker to remotely gain full administrative access to a site running the plugin.

This authentication bypass vulnerability, which affects versions 9.0.0.0 to 9.1.1.1.1 of the plugin, would allow attackers to bypass authentication for certain 2FA configurations.

This plugin was massively installed for a long time just to enable HTTPS, but later other security-related features were added until, in 2021, WordPress introduced in version 5.7 a native option to switch from HTTP to HTTPS with one click, so a lot of those Really Simple SSL installations were still active on many WordPress installations.

It never hurts to remember that it is advisable to do periodic reviews of plugins and uninstall those that you no longer need or can replace with snippets or functions added by hand when it comes to add-ons with simple functions.

As recommended by Wordfence, it is a good idea to share the warning with everyone you know who uses these plugins so that they update as soon as possible, as this vulnerability poses a significant risk.

The developers have already notified by mail all Really Simple Security users (Free and Pro) of the update to version 9.1.2, which was released yesterday, and which patches and fixes the vulnerability.

Leave a comment

Subscription by e-mail

Receive free full articles in your inbox without advertising as soon as they are published. The full content of the feed is sent ad-free via an external service.