CVE-2024-10924 PoC — Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1 - Authentication Bypass

Source

https://github.com/m3ssap0/wordpress-really-simple-security-authn-bypass-exploit

Associated Vulnerability

Title:Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1 - Authentication Bypass (CVE-2024-10924)
Description:The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).

Description

Exploits Really Simple Security < 9.1.2 authentication bypass (CVE-2024-10924).

Readme

# wordpress-really-simple-security-authn-bypass-exploit

This is a Python3 program that exploits Really Simple Security < 9.1.2 authentication bypass vulnerability (CVE-2024-10924).

## DISCLAIMER

**This tool is intended for security engineers and appsec people for security assessments. Please use this tool responsibly. I do not take responsibility for the way in which any one uses this application. I am NOT responsible for any damages caused or any crimes committed by using this tool.**

## Vulnerability info

* **CVE-ID**: CVE-2024-10924
* **Link**: [https://www.cve.org/CVERecord?id=CVE-2024-10924](https://www.cve.org/CVERecord?id=CVE-2024-10924)
* **Description**: This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "*Two-Factor Authentication*" setting is enabled (disabled by default).
* **Fix:** [https://plugins.trac.wordpress.org/changeset/3188431/really-simple-ssl](https://plugins.trac.wordpress.org/changeset/3188431/really-simple-ssl)
* **Wordfence bulletin:** [https://www.wordfence.com/threat-intel/vulnerabilities/detail/really-simple-security-free-pro-and-pro-multisite-900-9111-authentication-bypass](https://www.wordfence.com/threat-intel/vulnerabilities/detail/really-simple-security-free-pro-and-pro-multisite-900-9111-authentication-bypass)

## Help

```
$ ./exploit.py --help
usage: exploit.py [-h] -t TARGET [-uid USER_ID] [-v]

Exploit for Really Simple Security < 9.1.2 authentication bypass vulnerability (CVE-2024-10924). - v1.0 (2024-11-19)

options:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        URL of the target WordPress
  -uid USER_ID, --user-id USER_ID
                        Victim user ID (1 is usually the admin).
  -v, --verbose         verbose mode
```

## Examples

```
./exploit.py -t http://localhost:1337
```

```
./exploit.py -t http://localhost:1337 -uid 1 -v
```

## Vulnerable application

A vulnerable application can be setup using [this repository](https://github.com/m3ssap0/wordpress-really-simple-security-authn-bypass-vulnerable-application).

## Authors

* **Antonio Francesco Sardella** - *implementation* - [m3ssap0](https://github.com/m3ssap0)

## License

See the [LICENSE](LICENSE) file for details.

## Acknowledgments

* [**István Márton**](https://www.wordfence.com/threat-intel/vulnerabilities/detail/really-simple-security-free-pro-and-pro-multisite-900-9111-authentication-bypass), the security researcher who discovered the vulnerability.

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!