## https://sploitus.com/exploit?id=F6805442-4B4F-5488-9054-1F287379A101
# CVE-2024-10924 : Wordpress Really Simple Security authentication bypass flaw in Docker
## Description
The Really Simple Security plugins (Free, Pro, and Pro Multisite) for WordPress, versions 9.0.0 to 9.1.1.1, are affected by an authentication bypass vulnerability.
This issue arises from improper error handling in the check_login_and_get_user function used in two-factor REST API actions.
As a result, unauthenticated attackers can potentially log in as any existing user, including administrators, if the "Two-Factor Authentication" feature is enabled (disabled by default).
## Vulnerable docker
```bash
git clone git@github.com:Trackflaw/CVE-2024-10924-Wordpress-Docker.git
cd CVE-2024-10924-Wordpress-Docker
docker compose up --build
```
## Video
https://github.com/user-attachments/assets/124a4916-b0ba-472a-b880-63e774f809bd