Millions of WordPress sites could be at risk from "one of the most serious" plugin flaws ever found

WordPress users urged to double-check their websites following update to worrrying security flaw.

featured-image

WordFence finds "one of the most severe flaws" in its 12-year history The critical flaw resides in the Really Simple Security plugin The bug allows for automated, mass website takeover Cybersecurity researchers have found a critical vulnerability affecting millions of WordPress websites which could grant attackers full control over the vulnerable website. Security professionals from Wordfence reported discovering an “improper handling of user authentication” vulnerability in the Really Simple Security WordPress plugin , both free and paid versions. This plugin simplifies the process of securing websites by enabling SSL with a single click, and automatically resolving mixed content issues.

Furthermore, it offers features such as security headers, and HTTP Strict Transport Security (HSTS), which made it a super popular choice. It currently has more than five million active installations. Biggest threat in more than a decade The vulnerability is being tracked as CVE-2024-10924, and has a severity score of 9.



8 (critical), and Wordfence describes it as “one of the more serious vulnerabilities that we have reported on in our 12 year history as a security provider for WordPress.” It was discovered on November 6, and by November 14, all versions had patches lined up. Versions 9.

0.0 to 9.1.

1.1 of the “free”, “Pro”, and “Pro Multisite” releases were said to be vulnerable, with the first clean version being 9.1.

2. Currently, the WordPress plugins site shows 44.1% of installations being for version 9.

1, with the remaining 65.9% falling on older versions. Given the severity of the flaw, and the sheer number of potentially exploitable websites, researchers are urging everyone to patch up immediately and protect their digital assets.

Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! The plugin’s vendor has coordinated a force update with WordPress, but website administrators should still double-check to see if their websites are running the newest version of the plugin, and Pro users with expired licenses should ensure they have their auto-updates disabled as well. North Korean hackers are targeting Apple users with new macOS malware Here's a list of the best firewalls today These are the best endpoint protection tools right now.