Introductory Note: This is one of the more serious vulnerabilities that we have reported on in our 12 year history as a security provider for WordPress. This vulnerability affects Really Simple Security, formerly known as Really Simple SSL , installed on over 4 million websites, and allows an attacker to remotely gain full administrative access to a site running the plugin. The vulnerability is scriptable, meaning that it can be turned into a large scale automated attack, targeting WordPress websites. The vendor worked with the WordPress plugins team to force-update all sites running this plugin before we published this post. You Can Help by creating as much awareness around this issue in the community as possible, ensuring that any laggard and unmaintained sites update to the patched version. We encourage hosting providers to force-update their customers and perform scans on their hosting filesystems to ensure no customer is running an unpatched version of this plugin. It 's important to note that the Pro versions of this plugin are also affected by this vulnerability and sites running the premium versions should verify that they have automatically updated, so please do help get the word out. It appears that sites without a valid license may not have auto-updates functioning. The Details On November 6th, 2024, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in the Really Simpleā¦Read More
