CVE-2024-10924 is a critical vulnerability in the Really Simple Security WordPress plugins (Free, Pro, and Pro Multisite) versions 9.0.0 through 9.1.1.1. The issue stems from improper user check error handling within the two-factor authentication REST API actions, specifically in the 'check_login_and_get_user' function. When two-factor authentication is enabled (which is disabled by default), this flaw allows unauthenticated attackers to bypass authentication controls and log in as any existing user on the WordPress site, including high-privilege accounts such as administrators. The vulnerability is categorized under CWE-288 (Authentication Bypass Using an Alternate Path or Channel), indicating that the attacker can circumvent normal authentication mechanisms by exploiting alternate API paths. The vulnerability requires no privileges or user interaction and can be exploited remotely over the network, making it highly accessible to attackers. The CVSS v3.1 score of 9.8 reflects the critical nature of this flaw, with impacts on confidentiality, integrity, and availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild, but the potential for severe damage is significant. This vulnerability could lead to full site takeover, data theft, defacement, or deployment of malicious code within affected WordPress installations.

The impact of CVE-2024-10924 is severe for organizations using the affected Really Simple Security plugin versions on WordPress sites. Successful exploitation grants attackers full administrative access without authentication, enabling them to compromise site confidentiality by accessing sensitive data, alter site integrity by modifying content or configurations, and disrupt availability by disabling services or deleting content. This can lead to data breaches, loss of customer trust, defacement, ransomware deployment, or use of the compromised site as a launchpad for further attacks. Multisite installations are particularly at risk due to the broader scope of control. Given WordPress's widespread use globally, this vulnerability poses a significant risk to websites ranging from small businesses to large enterprises and government entities. The lack of required user interaction and the remote network exploit vector increase the likelihood of automated exploitation attempts once details become widely known.

Organizations should immediately verify if they are running Really Simple Security plugin versions 9.0.0 through 9.1.1.1 and assess whether two-factor authentication is enabled. Until an official patch is released, the following mitigations are recommended: 1) Disable the Really Simple Security plugin or specifically disable the two-factor authentication feature within the plugin to prevent exploitation. 2) Restrict access to the WordPress REST API endpoints related to authentication by implementing web application firewall (WAF) rules or IP whitelisting to limit exposure. 3) Monitor authentication logs for suspicious login attempts or anomalies indicating potential exploitation. 4) Apply principle of least privilege by limiting administrator accounts and enforcing strong password policies. 5) Regularly back up site data and configurations to enable recovery in case of compromise. 6) Stay updated with vendor advisories and apply patches immediately once available. 7) Consider alternative two-factor authentication plugins with verified security if continued two-factor protection is required.