A essential authentication bypass vulnerability has been found out impacting the WordPress plugin ‘Actually Easy Safety’ (previously ‘Actually Easy SSL’), together with each unfastened and Professional variations.
Actually Easy Safety is a safety plugin for the WordPress platform, providing SSL configuration, login coverage, a two-factor authentication layer, and real-time vulnerability detection. Its unfastened model on my own is utilized in over 4 million web sites.
Wordfence, which publicly disclosed the flaw, calls it one of the serious vulnerabilities reported in its 12-year historical past, caution that it lets in far flung attackers to realize complete administrative get admission to to impacted websites.
To make issues worse, the flaw will also be exploited en masse the usage of automatic scripts, probably resulting in large-scale web page takeover campaigns.
Such is the chance that Wordfence proposes that website hosting suppliers force-update the plugin on buyer websites and scan their databases to make sure no person runs a prone model.
2FA resulting in weaker safety
The essential severity flaw in query is CVE-2024-10924, found out by means of Wordfence’s researcher István Márton on November 6, 2024.
It’s led to by means of unsuitable dealing with of person authentication within the plugin’s two-factor REST API movements, enabling unauthorized get admission to to any person account, together with directors.
In particular, the issue lies within the ‘check_login_and_get_user()’ serve as that verifies person identities by means of checking the ‘user_id’ and ‘login_nonce’ parameters.
When ‘login_nonce’ is invalid, the request is not rejected, because it will have to, however as an alternative invokes ‘authenticate_and_redirect(),’ which authenticates the person in line with the ‘user_id’ on my own, successfully permitting authentication bypass.
The flaw is exploitable when two-factor authentication (2FA) is enabled, and despite the fact that it is disabled by means of default, many directors will permit it for more potent account safety.
CVE-2024-10924 affects plugin variations from 9.0.0 and as much as 9.1.1.1 of the “unfastened,” “Professional,” and “Professional Multisite” releases.
The developer addressed the flaw by means of making sure that the code now accurately handles ‘login_nonce’ verification fails, exiting the ‘check_login_and_get_user()’ serve as instantly.
The fixes have been carried out to model 9.1.2 of the plugin, launched on November 12 for the Professional model and November 14 free of charge customers.
The seller coordinated with WordPress.org to accomplish pressure safety updates on customers of the plugin, however web page directors nonetheless wish to test and make sure they are operating the newest model (9.1.2).
Customers of the Professional model have their auto-updates disabled when the license expires, so that they will have to manually replace 9.1.2.
As of the day prior to this, the WordPress.org stats web site, which screens installs of the unfastened model of the plugin, confirmed roughly 450,000 downloads, leaving 3,500,000 websites probably uncovered to the flaw.