WP Force SSL & HTTPS SSL Redirect Vulnerability – Missing Authorization to Settings Update – CVE-2024-5770 | WordPress Plugin Vulnerability Report

Plugin Name: WP Force SSL & HTTPS SSL Redirect

Key Information:

  • Software Type: Plugin
  • Software Slug: wp-force-ssl
  • Software Status: Active
  • Software Author: webfactory
  • Software Downloads: 1,473,630
  • Active Installs: 100,000
  • Last Updated: June 19, 2024
  • Patched Versions: 1.67
  • Affected Versions: <= 1.66

Vulnerability Details:

  • Name: WP Force SSL & HTTPS SSL Redirect <= 1.66
  • Title: Missing Authorization to Settings Update
  • Type: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L 
  • CVE: CVE-2024-5770
  • CVSS Score: 4.2
  • Publicly Published: June 7, 2024
  • Researcher: Foxyyy
  • Description: The WP Force SSL & HTTPS SSL Redirect plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_setting' function in versions up to, and including, 1.66. This allows authenticated attackers with Subscriber-level permissions and above to update plugin settings.

Summary:

The WP Force SSL & HTTPS SSL Redirect plugin for WordPress has a vulnerability in versions up to and including 1.66 that allows authenticated attackers with Subscriber-level permissions and above to modify plugin settings. This vulnerability has been patched in version 1.67.

Detailed Overview:

The vulnerability arises from a lack of proper capability checks in the 'ajax_save_setting' function. This oversight enables unauthorized users to manipulate critical plugin settings related to SSL and HTTPS redirection. Exploitation of this vulnerability could lead to unintended changes in website behavior and compromise site security by misconfiguring SSL settings.

Advice for Users:

  • Immediate Action: Update WP Force SSL & HTTPS SSL Redirect plugin to version 1.67 or later immediately to mitigate the risk of unauthorized settings modification.
  • Check for Signs of Vulnerability: Monitor plugin settings and website behavior for any unexpected changes, particularly related to SSL and HTTPS configurations.
  • Alternate Plugins: Consider temporarily disabling the plugin until the update is applied or explore alternative plugins that offer similar functionality and are currently secure.
  • Stay Updated: Regularly update all WordPress plugins to their latest versions to prevent vulnerabilities and maintain site security.

Conclusion:

The prompt release of version 1.67 by WP Force SSL & HTTPS SSL Redirect developers highlights the critical importance of timely updates in safeguarding WordPress site security. It is essential for users to ensure they are running version 1.67 or higher to protect their WordPress installations against potential exploits.

References:

Detailed Report: 

In today's digital landscape, the security of your WordPress website hinges on vigilant maintenance and timely updates of all plugins. These plugins, while enhancing functionality, can also introduce vulnerabilities that compromise site integrity. The recent discovery of a critical issue in the WP Force SSL & HTTPS SSL Redirect plugin underscores the urgent need for proactive security measures.

WP Force SSL & HTTPS SSL Redirect, developed by webfactory, is a widely used plugin boasting over 100,000 active installs and a significant user base. However, versions up to and including 1.66 have been identified with a critical vulnerability (CVE-2024-5770). This flaw allows authenticated attackers with Subscriber-level permissions and above to exploit the 'ajax_save_setting' function, manipulating essential plugin settings related to SSL and HTTPS configurations.

Detailed Overview:

The vulnerability arises from a lack of proper capability checks in the 'ajax_save_setting' function, enabling unauthorized modification of SSL and HTTPS settings. Attackers could potentially misconfigure these critical security features, leading to data interception or the redirection of users to malicious sites, compromising the site's credibility and user trust.

Advice for Users:

Immediate Action: Update WP Force SSL & HTTPS SSL Redirect plugin to version 1.67 or later immediately to mitigate the risk of unauthorized settings modification. Check for Signs of Vulnerability: Monitor plugin settings and website behavior for any unexpected changes, particularly related to SSL and HTTPS configurations. Alternate Plugins: Consider temporarily disabling the plugin until the update is applied or explore alternative plugins that offer similar functionality and are currently secure. Stay Updated: Regularly update all WordPress plugins to their latest versions to prevent vulnerabilities and maintain site security.

Conclusion:

The prompt release of version 1.67 by WP Force SSL & HTTPS SSL Redirect developers underscores the critical importance of proactive security practices. Small business owners, often stretched for time, must prioritize staying informed about vulnerabilities and applying updates promptly. This diligence not only protects their website from potential exploits but also ensures continued trust and reliability for their online presence.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WP Force SSL & HTTPS SSL Redirect Vulnerability – Missing Authorization to Settings Update – CVE-2024-5770 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment