So I just came across this WordPress vulnerability and it looks pretty serious. The ‘Really Simple Security’ plugin (formerly Really Simple SSL) has a flaw that lets attackers bypass authentication and get admin access. Apparently, it affects over 4 million websites.
The issue (CVE-2024-10924) was patched in version 9.1.2, but if you’re using anything between 9.0.0 and 9.1.1.1, your site might be at risk. WordPress is even pushing automatic updates because of how bad it is.
If you have this plugin, have you updated yet? Anyone seen any attacks happening?
Nate said:
Wow, I use that plugin on several sites. Glad they’re forcing an update, but how do I check my version?
You can check it by going to your WordPress dashboard, then Plugins > Installed Plugins. Look for ‘Really Simple Security’ and check the version number.
Clarke said: @Toby
Wait, what happens if wp-config.php is deleted?
Basically, WordPress thinks it’s a new install and lets someone set up the site from scratch. If an attacker does it, they can link it to their own database and take over.