Really Simple Security got you?
We clean up after it.

§ 01 — WHAT THE BUG WAS

Authentication bypass via the 2FA REST endpoint.

Really Simple Security exposed a REST route used to complete its two-factor login flow. The handler accepted a user_id from the request and authenticated the caller as that user without verifying that the caller had passed the first factor. An unauthenticated attacker could request user_id=1 and be logged in as the site administrator.

Affected versions: 9.0.0 to 9.1.1.1. Patched in 9.1.2. The vulnerable code path was active when the plugin's 2FA feature was enabled — but the patched release was pushed as a forced auto-update, and the disclosure was public, so attack activity began immediately.

§ 02 — INDICATORS WE LOOK FOR

Where attackers leave traces after a successful login.

• [ USERS ]

  Administrator accounts created in the disclosure window (after 2024-11-12). Check wp_users.user_registered against your records.

• [ FILES ]

  Recently-modified PHP in wp-content/plugins/, wp-content/mu-plugins/, wp-content/themes/active-theme/, and any PHP in wp-content/uploads/.

• [ OPTIONS ]

  wp_options autoload rows added since the disclosure; suspicious base64-encoded values; rogue active_plugins entries.

• [ ACCESS LOG ]

  POSTs to /wp-json/reallysimplessl/v1/two_fa/skip_onboarding (and related routes). Many requests with 200 status from a small set of IPs.

§ PRICE

Flat $279. One-time. Per site.