CVE-2024-10924 is a critical vulnerability in the Really Simple Security WordPress plugins (Free, Pro, and Pro Multisite) versions 9.0.0 through 9.1.1.1. The vulnerability stems from improper user check error handling within the two-factor authentication REST API actions, specifically the 'check_login_and_get_user' function. This flaw allows an unauthenticated attacker to bypass authentication mechanisms and log in as any existing user on the site, including administrators, when the two-factor authentication feature is enabled (which is disabled by default). The attack vector is network-based, requiring no privileges or user interaction, making exploitation straightforward. The vulnerability compromises confidentiality, integrity, and availability by granting unauthorized access to sensitive administrative functions and data. The CVSS 3.1 score of 9.8 reflects the critical nature of this flaw, highlighting its potential for severe impact. While no public exploits have been reported yet, the vulnerability's characteristics suggest it could be weaponized rapidly. The issue affects multisite WordPress installations using the vulnerable plugin versions, which are common in enterprise and managed hosting environments. The root cause is a logic flaw in the REST API's two-factor authentication implementation, which fails to properly validate user authentication status before granting access.

For European organizations, this vulnerability poses a severe risk of unauthorized access to WordPress sites, potentially leading to full site compromise, data theft, defacement, or use of the site as a pivot point for further network attacks. Organizations relying on Really Simple Security Pro multisite plugins in critical infrastructure, e-commerce, government, or media sectors could face significant operational disruption and reputational damage. The ability to bypass two-factor authentication undermines a key security control, increasing the likelihood of successful attacks. Given the widespread use of WordPress in Europe and the popularity of security plugins, many organizations could be exposed. The vulnerability could also facilitate ransomware deployment or data exfiltration, impacting GDPR compliance and leading to regulatory penalties. The multisite nature of affected installations means that a single exploit could compromise multiple sites simultaneously, amplifying the impact. Additionally, the lack of required user interaction and authentication lowers the barrier for attackers, increasing the threat landscape.

European organizations should immediately verify if they are running Really Simple Security plugin versions 9.0.0 to 9.1.1.1, especially in multisite WordPress environments. Since no patch links are currently provided, organizations should monitor vendor advisories for updates and apply patches as soon as they become available. In the interim, disabling the two-factor authentication feature within the plugin can mitigate the vulnerability, as the bypass only occurs when this setting is enabled. Restricting REST API access through web application firewalls (WAFs) or IP whitelisting can reduce exposure. Implementing strict monitoring and alerting for unusual login activity or REST API calls can help detect exploitation attempts. Organizations should also review user accounts for suspicious activity and enforce strong password policies. Regular backups and incident response plans should be updated to prepare for potential exploitation. Finally, consider alternative security plugins with verified secure two-factor implementations until a patch is released.