Exploits

Critical Vulnerabilities in WordPress Plugins: Act Now to Secure Your Site

Published  ·  3 min read

WordPress website owners are urged to act swiftly following the disclosure of two critical vulnerabilities in widely used plugins: Really Simple Security and WPLMS Learning Management System (LMS). These flaws pose significant risks, including unauthenticated access, arbitrary file deletion, and potential site takeovers.

1. Really Simple Security Vulnerability (CVE-2024-10924)

A high-severity authentication bypass vulnerability has been discovered in the Really Simple Security plugin (formerly Really Simple SSL), affecting versions 9.0.0 to 9.1.1.1.

Details

  1. CVSS Score: 9.8 (Critical)
  2. Exploitation: Attackers can bypass authentication and gain administrative access, even when two-factor authentication (2FA) is enabled.
  3. Cause: Improper error handling in the "check_login_and_get_user" function.
  4. Risk: The flaw is scriptable, enabling large-scale automated attacks targeting over 4 million websites using the plugin.

Mitigation

The issue was responsibly disclosed on November 6, 2024, and patched in version 9.1.2. WordPress collaborated with the plugin maintainers to force-update vulnerable sites before the public announcement.

Recommended Action:

  1. Update the plugin to version 9.1.2 or later immediately.
  2. If 2FA is enabled, verify the implementation’s security.

2. WPLMS LMS Vulnerability (CVE-2024-10470)

Another critical flaw, identified in the WPLMS Learning Management System, impacts versions prior to 4.963.

Details

  1. CVSS Score: 9.8 (Critical)
  2. Exploitation: Allows unauthenticated attackers to read and delete arbitrary files, including critical site configuration files such as wp-config.php.
  3. Impact: Deleting wp-config.php forces the WordPress site into a setup state, potentially allowing attackers to connect the site to a malicious database for a full site takeover.
  4. Cause: Insufficient file path validation and permissions checks.

Mitigation

The vulnerability can be addressed by upgrading to version 4.963 or newer.

Recommended Action:

  1. Immediately update WPLMS LMS to the latest version.
  2. Regularly monitor server file permissions for unauthorized changes.

Implications of Exploitation

These vulnerabilities highlight the potential consequences of insecure plugins:

  1. Full Administrative Access: Enables attackers to hijack websites and install malicious software.
  2. Arbitrary File Manipulation: Allows for deletion of critical files, compromising the site’s integrity.
  3. Data Theft: Sensitive user and admin credentials can be exposed.
  4. Platform Abuse: Compromised sites could be weaponized for phishing, spam, or malware distribution.

How to Stay Protected

To safeguard your WordPress site:

  1. Keep Plugins Updated: Regularly update all plugins to their latest versions.
  2. Use Trusted Plugins: Avoid plugins with poor security reviews or limited support.
  3. Backup Regularly: Maintain off-site backups for quick recovery in case of an attack.
  4. Enable Monitoring: Use security plugins to detect and block suspicious activity.
  5. Limit Permissions: Restrict access to critical files and functions.

By taking these precautions, you can minimize the risk of exploitation and ensure the integrity of your WordPress site.

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067