Anka Markovic Borak, writing in vpnMentor »

A severe vulnerability affecting the Really Simple Security WordPress plugin, previously Really Simple SSL, has put four million websites at risk of potential takeover. Discovered on November 6, 2024, by Wordfence researchers, the flaw allows attackers to bypass authentication and gain administrative access due to faulty user verification handling.

Wordfence »

This is one of the more serious vulnerabilities that we have reported on in our 12 year history as a security provider for WordPress. This vulnerability affects Really Simple Security, formerly known as Really Simple SSL, installed on over 4 million websites, and allows an attacker to remotely gain full administrative access to a site running the plugin.

The vulnerability is scriptable, meaning that it can be turned into a large scale automated attack, targeting WordPress websites. The vendor worked with the WordPress plugins team to force-update all sites running this plugin before we published this post.