version bump

Author: rlankhorst

readme.txt

@@ -6,7 +6,7 @@ Requires at least: 5.9
 License: GPL2
 Tested up to: 6.7
 Requires PHP: 7.4
-Stable tag: 9.1.1.1
+Stable tag: 9.1.2
 
 Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate.
 
@@ -151,6 +151,9 @@ The plugin checks your certificate before enabling, but if, for example, you mig
 If you can't deactivate, do not just remove the plugin folder to uninstall! Follow these [instructions](https://really-simple-ssl.com/knowledge-base/uninstall-websitebackend-not-accessible/) instead.
 
 == Changelog ==
+= 9.1.2 =
+* security: authentication bypass
+
 = 9.1.1.1 =
 * November 5th, 2024
 *Improvement: updated black friday dates

rlrsssl-really-simple-ssl.php

@@ -3,7 +3,7 @@
  * Plugin Name: Really Simple Security
  * Plugin URI: https://really-simple-ssl.com
  * Description: Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate generation.
- * Version: 9.1.1.1
+ * Version: 9.1.2
  * Requires at least: 5.9
  * Requires PHP: 7.4
  * Author: Really Simple Security
@@ -103,7 +103,7 @@ private function setup_constants()
 			if ( !defined('rsssl_file') ){
 				define('rsssl_file', __FILE__);
 			}
-			define('rsssl_version', '9.1.1.1');
+			define('rsssl_version', '9.1.2');
 			define('rsssl_le_cron_generation_renewal_check', 20);
 			define('rsssl_le_manual_generation_renewal_check', 15);
 		}

security/wordpress/two-fa/class-rsssl-request-parameters.php

@@ -95,7 +95,7 @@ public function __construct( WP_REST_Request $request ) {
 		$this->nonce       = $request->get_header( 'X-WP-Nonce' );
 		$this->user        = get_user_by( 'id', $this->user_id );
 		$this->provider    = $request->get_param( 'provider' );
-		$this->redirect_to = $request->get_param( 'redirect_to' );
+		$this->redirect_to = $request->get_param( 'redirect_to' )?? admin_url();
 		if ( 'totp' === $this->provider ) {
 			$this->code = wp_unslash( $request->get_param( 'two-factor-totp-authcode' ) );
 			$this->key  = wp_unslash( $request->get_param( 'key' ) );

security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php

@@ -10,6 +10,7 @@
 
 namespace RSSSL\Security\WordPress\Two_Fa;
 
+use Exception;
 use WP_REST_Request;
 use WP_REST_Response;
 use WP_User;
@@ -64,15 +65,19 @@ private function check_custom_validation( WP_REST_Request $request ): bool {
 	 */
 	private function check_login_and_get_user( int $user_id, string $login_nonce ) {
 		if ( ! Rsssl_Two_Fa_Authentication::verify_login_nonce( $user_id, $login_nonce ) ) {
-			return new WP_REST_Response( array( 'error' => 'Invalid login nonce' ), 403 );
+			// We throw an error
+			wp_die();
 		}
-
 		/**
 		 * Get the user by the user ID.
 		 *
 		 * @var WP_User $user
 		 */
-		$user = get_user_by( 'id', $user_id );
+		$user = get_user_by('id', $user_id);
+		if (!$user) {
+			throw new Exception('User not found');
+		}
+
 		return $user;
 	}
 
@@ -122,15 +127,17 @@ private function start_email_validation(int $user_id, string $redirect_to = '',
 	 * @return WP_REST_Response The REST response object if user is not logged in or provider is invalid.
 	 */
 	public function set_as_email( WP_REST_Request $request ): WP_REST_Response {
-		$parameters = new Rsssl_Request_Parameters( $request );
-		$user       = $this->check_login_and_get_user( $parameters->user_id, $parameters->login_nonce );
-		// Check if the provider.
-		if ( 'email' !== $parameters->provider ) {
-			return new WP_REST_Response( array( 'error' => 'Invalid provider' ), 401 );
+		$parameters = new Rsssl_Request_Parameters($request);
+		try {
+			$this->check_login_and_get_user($parameters->user_id, $parameters->login_nonce);
+		} catch (Exception $e) {
+			return new WP_REST_Response(['error' => $e->getMessage()], 403);
+		}
+		if ('email' !== $parameters->provider) {
+			return new WP_REST_Response(['error' => 'Invalid provider'], 401);
 		}
 
-		// Finally redirect the user to the redirect_to page with a response.
-		return $this->start_email_validation( $parameters->user_id, $parameters->redirect_to , $parameters->profile );
+		return $this->start_email_validation($parameters->user_id, $parameters->redirect_to, $parameters->profile);
 	}
 
     /**
@@ -141,15 +148,17 @@ public function set_as_email( WP_REST_Request $request ): WP_REST_Response {
      * @return WP_REST_Response The REST response object.
      */
     public function set_profile_email(WP_REST_Request $request ): WP_REST_Response {
-        $parameters = new Rsssl_Request_Parameters( $request );
-        $user       = $this->check_login_and_get_user( $parameters->user_id, $parameters->login_nonce );
-        // Check if the provider.
-        if ( 'email' !== $parameters->provider ) {
-            return new WP_REST_Response( array( 'error' => 'Invalid provider' ), 401 );
-        }
-
-        // Finally redirect the user to the redirect_to page with a response.
-        return $this->start_email_validation( $parameters->user_id, $parameters->redirect_to, $parameters->profile );
+	    $parameters = new Rsssl_Request_Parameters($request);
+	    try {
+		    $this->check_login_and_get_user($parameters->user_id, $parameters->login_nonce);
+	    } catch (Exception $e) {
+		    return new WP_REST_Response(['error' => $e->getMessage()], 403);
+	    }
+	    if ('email' !== $parameters->provider) {
+		    return new WP_REST_Response(['error' => 'Invalid provider'], 401);
+	    }
+
+	    return $this->start_email_validation($parameters->user_id, $parameters->redirect_to, $parameters->profile);
     }
 
     /**
@@ -160,29 +169,24 @@ public function set_profile_email(WP_REST_Request $request ): WP_REST_Response {
      * @return WP_REST_Response The REST response object.
      */
     public function validate_email_setup(WP_REST_Request $request ): WP_REST_Response {
-        $parameters = new Rsssl_Request_Parameters( $request );
-        $user = $this->check_login_and_get_user( $parameters->user_id, $parameters->login_nonce );
-        // Check if the provider.
-        if ( 'email' !== $parameters->provider ) {
-            return new WP_REST_Response( array( 'error' => 'Invalid provider' ), 401 );
-        }
-        if ( !Rsssl_Two_Factor_Email::get_instance()->validate_token( $parameters->user_id, self::sanitize_token($parameters->token) ) ) {
-            // we reset all the settings.
-            Rsssl_Two_Factor_Email::set_user_status( $parameters->user_id, 'open' );
-            Rsssl_Two_Factor_Totp::set_user_status( $parameters->user_id, 'open' );
+	    $parameters = new Rsssl_Request_Parameters($request);
 
-            // we logout the user
-            wp_logout();
+	    if ('email' !== $parameters->provider) {
+		    return new WP_REST_Response(['error' => 'Invalid provider'], 401);
+	    }
 
-            return new WP_REST_Response( array( 'error' =>  __('Code was was invalid, try "Resend Code"', 'really-simple.ssl-pro') ), 401 );
-        }
+	    if (!Rsssl_Two_Factor_Email::get_instance()->validate_token($parameters->user_id, self::sanitize_token($parameters->token))) {
+		    Rsssl_Two_Factor_Email::set_user_status($parameters->user_id, 'open');
+		    Rsssl_Two_Factor_Totp::set_user_status($parameters->user_id, 'open');
+		    wp_logout();
+		    return new WP_REST_Response(['error' => __('Code was invalid, try "Resend Code"', 'really-simple.ssl-pro')], 401);
+	    }
 
-        Rsssl_Two_Factor_Email::set_user_status( $parameters->user_id, 'active' );
-	    Rsssl_Two_Factor_Totp::set_user_status( $parameters->user_id, 'disabled' );
-        // Mark all other statuses as inactive.
-        self::set_other_providers_inactive( $parameters->user_id, 'email' );
+	    Rsssl_Two_Factor_Email::set_user_status($parameters->user_id, 'active');
+	    Rsssl_Two_Factor_Totp::set_user_status($parameters->user_id, 'disabled');
+	    self::set_other_providers_inactive($parameters->user_id, 'email');
 
-        return $this->authenticate_and_redirect( $parameters->user_id, $parameters->redirect_to );
+	    return $this->authenticate_and_redirect($parameters->user_id, $parameters->redirect_to);
     }
 
     /**
@@ -244,24 +248,19 @@ public function verify_2fa_code_totp( WP_REST_Request $request ): WP_REST_Respon
 	 * @return WP_REST_Response The REST response object.
 	 */
 	public function disable_two_fa_for_user( WP_REST_Request $request ): WP_REST_Response {
-		$parameters = new Rsssl_Request_Parameters( $request );
-		// As a double we check the user_id with the login nonce.
-		$user = $this->check_login_and_get_user( $parameters->user_id, $parameters->login_nonce );
+		$parameters = new Rsssl_Request_Parameters($request);
+		try {
+			$user = $this->check_login_and_get_user($parameters->user_id, $parameters->login_nonce);
+		} catch (Exception $e) {
+			return new WP_REST_Response(['error' => $e->getMessage()], 403);
+		}
 
-		// We get all the available providers for the user.
 		$user_available_providers = Rsssl_Provider_Loader::get_providers();
-
-        foreach ( $user_available_providers as $provider ) {
-			/**
-			 * Set the user status to disable.
-			 *
-			 * @var Rsssl_Two_Factor_Provider $provider
-			 */
-			$provider::set_user_status( $user->ID, 'disabled' );
+		foreach ($user_available_providers as $provider) {
+			$provider::set_user_status($user->ID, 'disabled');
 		}
 
-		// Finally we redirect the user to the redirect_to page.
-		return $this->authenticate_and_redirect( $parameters->user_id, $parameters->redirect_to );
+		return $this->authenticate_and_redirect($parameters->user_id, $parameters->redirect_to);
 	}
 
 	/**
@@ -274,7 +273,11 @@ public function disable_two_fa_for_user( WP_REST_Request $request ): WP_REST_Res
 	public function skip_onboarding( WP_REST_Request $request ): WP_REST_Response {
 		$parameters = new Rsssl_Request_Parameters( $request );
 		// As a double we check the user_id with the login nonce.
-		$user = $this->check_login_and_get_user( (int)$parameters->user_id, $parameters->login_nonce );
+		try {
+			$this->check_login_and_get_user($parameters->user_id, $parameters->login_nonce);
+		} catch (Exception $e) {
+			return new WP_REST_Response(['error' => $e->getMessage()], 403);
+		}
 		return $this->authenticate_and_redirect( $parameters->user_id, $parameters->redirect_to );
 	}
 

security/wordpress/two-fa/class-rsssl-two-factor.php

@@ -357,6 +357,7 @@ public static function maybe_skip_auth(): void
                     update_user_meta($user_id, 'rsssl_two_fa_status', 'active');
                     update_user_meta($user_id, 'rsssl_two_fa_status_email', 'active');
                     update_user_meta($user_id, 'rsssl_two_fa_status_totp', 'disabled');
+	                delete_user_meta( $user_id, '_rsssl_factor_email_token' );
                 }
 
                 wp_set_auth_cookie($user_id);