WordPress Really Simple SSL Plugin <= 7.2.3 is vulnerable to Server Side Request Forgery (SSRF)<\/p>
Software: Really Simple SSL<\/p>
Link: https:\/\/wordpress.org\/plugins\/really-simple-ssl\/#developers<\/p>
Affected Version <= 7.2.3<\/p>
Fixed in version 8.0.0 <\/p>","date":"2024-04-16"},{"id":"1dc466a13acc1dcbae9c2927d1a3c900f68ec22b","name":"Really Simple SSL <= 7.2.3 - Authenticated (Admin+) Server-Side Request Forgery","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/really-simple-ssl\/really-simple-ssl-723-authenticated-admin-server-side-request-forgery","description":"The Really Simple SSL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.2.3. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.","date":"2024-04-16"}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:H\/UI:N\/S:C\/C:L\/I:L\/A:N","av":"n","ac":"l","pr":"h","ui":"n","s":"c","c":"l","i":"l","a":"n","score":"5.5","severity":"m","exploitable":"2.3","impact":"2.7"},"cvss3":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:H\/UI:N\/S:C\/C:L\/I:L\/A:N","score":"5.5","severity":"medium","av":"network","ac":"low","pr":"high","ui":"none","s":"changed","c":"low","i":"low","a":"none","exploitable":"2.3","impact":"2.7"},"cwe":[{"cwe":"CWE-918","name":"Server-Side Request Forgery (SSRF)","description":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination."}],"ssvc":{"exploitation":"none","automatable":"no","technical_impact":"partial","kev":false,"kev_date":null}}},{"uuid":"b134b416b8742c9cf566baf12dda7bd6db0b4a0d28101d18e81a5fd8778463ea","name":"Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) [really-simple-ssl] >= 9.0.0 - <= 9.1.1.1","description":null,"operator":{"min_version":"9.0.0","min_operator":"ge","max_version":"9.1.1.1","max_operator":"le","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2024-10924","name":"CVE-2024-10924","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-10924","description":"[en] The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the \"Two-Factor Authentication\" setting is enabled (disabled by default).","date":"2024-11-15"},{"id":"224ee9406ed68fd4badd0e03b96f3e4160a1f3b8","name":"WordPress Really Simple SSL Plugin 9.0.0-9.1.1.1 is vulnerable to Broken Authentication","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/really-simple-ssl\/vulnerability\/wordpress-really-simple-security-plugin-9-0-0-9-1-1-1-unauthenticated-authentication-bypass-vulnerability","description":"
WordPress Really Simple SSL Plugin 9.0.0-9.1.1.1 is vulnerable to Broken Authentication<\/p>
Software: Really Simple SSL<\/p>
Link: https:\/\/wordpress.org\/plugins\/really-simple-ssl\/#developers<\/p>
Affected Version 9.0.0-9.1.1.1<\/p>
Fixed in version 9.1.2 <\/p>","date":"2024-11-14"},{"id":"b2fca7daff45d35bc91fdf21b6783800f7539c98","name":"Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1 - Authentication Bypass","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/detail\/really-simple-security-free-pro-and-pro-multisite-900-9111-authentication-bypass","description":"The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the \"Two-Factor Authentication\" setting is enabled (disabled by default).","date":"2024-11-14"}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H","av":"n","ac":"l","pr":"n","ui":"n","s":"u","c":"h","i":"h","a":"h","score":"9.8","severity":"c","exploitable":"3.9","impact":"5.9"},"cvss3":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H","score":"9.8","severity":"critical","av":"network","ac":"low","pr":"none","ui":"none","s":"unchanged","c":"high","i":"high","a":"high","exploitable":"3.9","impact":"5.9"},"cwe":[{"cwe":"CWE-288","name":"Authentication Bypass Using an Alternate Path or Channel","description":"The product requires authentication, but the product has an alternate path or channel that does not require authentication."},{"cwe":"CWE-306","name":"Missing Authentication for Critical Function","description":"The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources."}],"ssvc":{"exploitation":"none","automatable":"yes","technical_impact":"total","kev":false,"kev_date":null}}},{"uuid":"3037b9cb8017005c897bbab6dfacc9142e3214dc6f1943b8e30051797898aae9","name":"Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) [really-simple-ssl] < 9.2.0","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"9.2.0","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2025-24623","name":"CVE-2025-24623","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-24623","description":"[en] Cross-Site Request Forgery (CSRF) vulnerability in Really Simple Plugins Really Simple SSL really-simple-ssl allows Cross Site Request Forgery.This issue affects Really Simple SSL: from n\/a through <= 9.1.4.","date":"2025-01-24"},{"id":"f71a8da21666b2dff86aaa0cb406c195a4c906f7","name":"WordPress Really Simple SSL Plugin <= 9.1.4 is vulnerable to Cross Site Request Forgery (CSRF)","link":"https:\/\/patchstack.com\/database\/wordpress\/plugin\/really-simple-ssl\/vulnerability\/wordpress-really-simple-security-plugin-9-1-4-cross-site-request-forgery-csrf-vulnerability","description":"
WordPress Really Simple SSL Plugin <= 9.1.4 is vulnerable to Cross Site Request Forgery (CSRF)<\/p>
Software: Really Simple SSL<\/p>
Fixed in version 9.2.0 <\/p>
Affected Version <= 9.1.4<\/p>
CVE: CVE-2025-24623<\/p>","date":"2025-01-24"},{"id":"93488cd46d044dc3648f2c40b64efb1dcf5d5038","name":"Really Simple SSL <= 9.1.4 - Cross-Site Request Forgery","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/really-simple-ssl\/really-simple-ssl-914-cross-site-request-forgery","description":"The Really Simple SSL plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 9.1.4. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","date":"2025-01-24"},{"id":"EUVD-2025-3825","name":"EUVD-2025-3825","link":"https:\/\/euvd.enisa.europa.eu\/enisa\/EUVD-2025-3825","description":"Cross-Site Request Forgery (CSRF) vulnerability in Really Simple Security Really Simple SSL allows Cross Site Request Forgery. This issue affects Really Simple SSL: from n\/a through 9.1.4.","date":"2025-01-24"}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:N\/I:L\/A:N","av":"n","ac":"l","pr":"n","ui":"r","s":"u","c":"n","i":"l","a":"n","score":"4.3","severity":"m","exploitable":"0.0","impact":"0.0"},"cvss3":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:N\/I:L\/A:N","score":"4.3","severity":"medium","av":"network","ac":"low","pr":"none","ui":"required","s":"unchanged","c":"none","i":"low","a":"none","exploitable":"0.0","impact":"0.0"},"cwe":[{"cwe":"CWE-352","name":"Cross-Site Request Forgery (CSRF)","description":"The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor."}],"ssvc":{"exploitation":"none","automatable":"no","technical_impact":"partial","kev":false,"kev_date":null}}},{"uuid":"78a28869be6d0a46e00e1937c7054f79c34b476da69113b5a7cff49f96eef98f","name":"Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) [really-simple-ssl] < 9.5.8","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"9.5.8","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2026-32461","name":"CVE-2026-32461","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2026-32461","description":"[en] Missing Authorization vulnerability in Really Simple Plugins Really Simple SSL really-simple-ssl allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Really Simple SSL: from n\/a through <= 9.5.7.","date":"2026-03-13"},{"id":"dec6c8eb54806ce40b3001b2a78c96e86ba3fa11","name":"Really Simple Security \u2013 Simple and Performant Security (formerly Really Simple SSL) <= 9.5.7 - Missing Authorization","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/really-simple-ssl\/really-simple-security-simple-and-performant-security-formerly-really-simple-ssl-957-missing-authorization","description":"The Really Simple Security \u2013 Simple and Performant Security (formerly Really Simple SSL) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 9.5.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","date":"2026-03-15"}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:L\/A:N","av":"n","ac":"l","pr":"l","ui":"n","s":"u","c":"n","i":"l","a":"n","score":"4.3","severity":"m","exploitable":"3.9","impact":"1.4"},"cvss3":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:L\/A:N","score":"4.3","severity":"medium","av":"network","ac":"low","pr":"low","ui":"none","s":"unchanged","c":"none","i":"low","a":"none","exploitable":"3.9","impact":"1.4"},"cwe":[{"cwe":"CWE-862","name":"Missing Authorization","description":"The product does not perform an authorization check when an actor attempts to access a resource or perform an action."}],"ssvc":{"exploitation":"none","automatable":"yes","technical_impact":"partial","kev":false,"kev_date":null}}}]},"updated":"1776153795"}