A critical authentication bypass vulnerability (CVE-2024-10924, CVSS 9.8) has been disclosed in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress, impacting versions 9.0.0 to 9.1.1.1. The flaw, caused by improper handling of user checks in the "check_login_and_get_user" function, allows unauthenticated attackers to gain administrative access when two-factor authentication is enabled. Installed on over 4 million sites, the vulnerability has been patched in version 9.1.2 following responsible disclosure on November 6, 2024, with a force update deployed to mitigate potential abuse. Additionally, Wordfence recently reported a separate critical flaw (CVE-2024-10470, CVSS 9.8) in the WPLMS Learning Management System theme, allowing attackers to delete or read arbitrary files, potentially enabling site takeovers.