A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Six years. Gartner® Magic Quadrant™ Leader.Find Out Why
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-10924

CVE-2024-10924: Really Simple Security Auth Bypass Flaw

CVE-2024-10924 is an authentication bypass vulnerability in Really Simple Security for WordPress that allows attackers to log in as any user when two-factor authentication is enabled. This article covers technical details, impact, and fixes.

Updated: May 15, 2026

CVE-2024-10924 Overview

CVE-2024-10924 is an authentication bypass vulnerability in the Really Simple Security plugin for WordPress, affecting Free, Pro, and Pro Multisite editions versions 9.0.0 through 9.1.1.1. The flaw resides in the two-factor REST API actions, where the check_login_and_get_user function performs improper user check error handling. Unauthenticated attackers can exploit this weakness to log in as any existing user, including administrators, when the Two-Factor Authentication setting is enabled. The plugin is installed on more than four million WordPress sites, making this one of the largest WordPress security exposures of 2024.

Critical Impact

Remote unauthenticated attackers can authenticate as any WordPress administrator on vulnerable sites with 2FA enabled, leading to full site takeover.

Affected Products

  • Really Simple Security (Free) for WordPress versions 9.0.0 to 9.1.1.1
  • Really Simple Security Pro for WordPress versions 9.0.0 to 9.1.1.1
  • Really Simple Security Pro Multisite for WordPress versions 9.0.0 to 9.1.1.1

Discovery Timeline

  • 2024-11-15 - CVE-2024-10924 published to NVD
  • 2026-01-23 - Last updated in NVD database

Technical Details for CVE-2024-10924

Vulnerability Analysis

The vulnerability is classified under [CWE-288] (Authentication Bypass Using an Alternate Path or Channel) and [CWE-306] (Missing Authentication for a Critical Function). It exists in the two-factor onboarding REST API code shipped with the plugin, specifically in class-rsssl-two-factor-on-board-api.php. The check_login_and_get_user function returns user objects without properly distinguishing between successful authentication and error states. When a request triggers the error branch, downstream code still treats the response as a valid authenticated user. An attacker submitting a crafted REST request to the two-factor verification endpoint can supply a target user_id and receive a valid session as that user.

The issue only manifests when the Two-Factor Authentication feature is enabled in the plugin. While 2FA is disabled by default, administrators who enabled it for stronger security ironically exposed their sites to complete authentication bypass.

Root Cause

The root cause is improper error handling in the user validation path. Lines 67, 277, and 278 of class-rsssl-two-factor-on-board-api.php retrieve a user object but fail to verify whether the returned value represents a WP_Error or an authenticated user. The REST endpoint then sets authentication cookies based on the attacker-supplied identifier without verifying credentials or one-time codes.

Attack Vector

Exploitation requires only network access to the WordPress site's REST API. The attacker sends an HTTP POST request to the vulnerable two-factor REST route with parameters identifying the target user account. No credentials, tokens, or user interaction are required. Public proof-of-concept exploits are available, including a GitHub PoC repository and a zero-click RCE chain that leverages administrator access to achieve remote code execution through plugin or theme upload. The EPSS probability of 93.889% (99.878 percentile) indicates active exploitation interest.

For technical specifics, see the Wordfence vulnerability analysis and the upstream code review of the vulnerable function.

Detection Methods for CVE-2024-10924

Indicators of Compromise

  • HTTP requests to /wp-json/reallysimplessl/v1/two_fa/skip_onboarding or related reallysimplessl/v1/two_fa/ REST routes from unauthenticated sources.
  • Unexpected administrator logins in wp_users activity or audit logs without a corresponding successful password authentication event.
  • Newly created administrator accounts, plugin installations, or theme uploads following suspicious REST API traffic.
  • Outbound connections from the WordPress host to attacker-controlled infrastructure shortly after REST API access.

Detection Strategies

  • Inspect web server access logs for POST requests targeting reallysimplessl/v1/two_fa/ endpoints with user_id or login_nonce parameters from anonymous clients.
  • Correlate WordPress authentication events with web requests to identify sessions established without prior wp-login.php activity.
  • Deploy WordPress security plugins or web application firewall (WAF) rules that detect the published exploit signatures for CVE-2024-10924.

Monitoring Recommendations

  • Enable verbose REST API request logging and forward logs to a centralized SIEM for correlation and retention.
  • Alert on changes to administrator role membership, new plugin uploads, and modifications to core WordPress files.
  • Monitor for the Really Simple Security plugin version through automated asset inventory to confirm all instances are patched above 9.1.2.

How to Mitigate CVE-2024-10924

Immediate Actions Required

  • Update Really Simple Security (Free, Pro, and Pro Multisite) to version 9.1.2 or later immediately on all WordPress installations.
  • Audit administrator accounts and recently installed plugins or themes for unauthorized changes.
  • Rotate WordPress administrator passwords and invalidate all active sessions after patching.
  • Review web server and REST API logs for prior exploitation attempts dating back to the plugin upgrade to 9.0.0.

Patch Information

The vendor released a fix in version 9.1.2 of Really Simple Security. WordPress.org and the plugin developer initiated a forced auto-update for affected sites because of the scope of the vulnerability. Review the corrected code in WordPress Change Set 3188431. Confirm the installed version is at minimum 9.1.2 across all WordPress sites, including staging and multisite networks.

Workarounds

  • Disable the Two-Factor Authentication setting within Really Simple Security if immediate patching is not possible, since the bypass only triggers when 2FA is enabled.
  • Temporarily deactivate the Really Simple Security plugin until version 9.1.2 or later can be installed.
  • Block external access to the /wp-json/reallysimplessl/ REST namespace at the WAF or reverse proxy layer.
bash
# Update Really Simple Security via WP-CLI on the affected WordPress host
wp plugin update really-simple-ssl --version=9.1.2

# Verify the installed version
wp plugin get really-simple-ssl --field=version

# Optional: disable the plugin until patch is applied
wp plugin deactivate really-simple-ssl

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechReally Simple Security
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability93.89%
  • Known ExploitedYes
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-288
  • CWE-306
  • Technical References
  • WordPress Code Review Line 277
  • WordPress Code Review Line 278
  • WordPress Code Review Line 67
  • Wordfence Blog Vulnerability Post
  • Wordfence Vulnerability Details
  • GitHub CVE-2024-10924 Exploit
  • Vendor Resources
  • WordPress Change Set 3188431
  • Latest CVEs
  • CVE-2024-8261: Prolizyazilim OBS Auth Bypass Vulnerability
  • CVE-2024-13068: LimonDesk Auth Bypass Vulnerability
  • CVE-2025-53679: Fortinet FortiSandbox RCE Vulnerability
  • CVE-2026-9446: Simple POS Inventory System SQLi Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English