WordPress Plugin Security Update Advisory (CVE-2024-10924, CVE-2024-8856)

Overview
 

An update has been released to address vulnerabilities in WordPress Really Simple Security(Free, Pro, Pro Multisite), WP Time Capsule Plugin. Users of the affected versions are advised to update to the latest version.

 

Affected Products

CVE-2024-10924

• Really Simple Security (Free, Pro, Pro Multisite) versions: 9.0.0 (inclusive) ~ 9.1.1.1 (inclusive)

 

CVE-2024-8856

• WP Time Capsule versions: ~ 1.22.21 (inclusive)

 

 

Resolved Vulnerabilities

 

User verification error in the two-factor authentication REST API, which could allow login as an administrator account without authentication (CVE-2024-10924)

File upload vulnerability that could allow an unauthenticated attacker to upload a malicious file, resulting in remote code execution (CVE-2024-8856)

 

Vulnerability Patches

Vulnerability Patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2024-10924

• Really Simple Security (Free, Pro, Pro Multisite) version: 9.1.2

 

CVE-2024-8856

• WP Time Capsule version: 1.22.22

 

 

Referenced Sites

[1] CVE-2024-10924 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-10924

[2] Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 – 9.1.1.1 – Authentication Bypass

https://www.wordfence.com/threat-intel/vulnerabilities/detail/really-simple-security-free-pro-and-pro-multisite-900-9111-authentication-bypass

[3] CVE-2024-8856 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-8856

[4] Backup and Staging by WP Time Capsule <= 1.22.21 – Unauthenticated Arbitrary File Upload

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-time-capsule/backup-and-staging-by-wp-time-capsule-12221-unauthenticated-arbitrary-file-upload