CVE-2024-10924: 
WordPress vulnerability analysis and mitigation

The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress contain an authentication bypass vulnerability (CVE-2024-10924) affecting versions 9.0.0 to 9.1.1.1. The vulnerability was discovered and reported by István Márton from Wordfence on November 6, 2024, and was publicly disclosed on November 14, 2024 (Wordfence Blog).

The vulnerability stems from improper user check error handling in the two-factor REST API actions with the 'checkloginandgetuser' function. The issue has received a CVSS v3.1 score of 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and CWE-288 (Authentication Bypass Using an Alternate Path or Channel) (NVD).

When exploited, this vulnerability allows unauthenticated attackers to log in as any existing user on the site, including administrators, when the 'Two-Factor Authentication' setting is enabled. While the two-factor authentication feature is disabled by default, sites that have enabled it are at risk of complete compromise (Wordfence Blog).

Site administrators running affected versions should immediately update to version 9.1.2 or later, which contains the security fix. The vulnerability was patched in the WordPress plugin repository (WordPress Plugin).