Critical WordPress Plug-in Flaw Exposes 4M Sites to Takeover

A critical authentication-bypass vulnerability (CVSS 9.8) was discovered in the Really Simple Security WordPress plugin (v9.0.0–9.1.1.1) that improperly handles 2FA REST API checks, allowing attackers to bypass authentication and gain administrative access; the flaw is scriptable and could be used for large-scale automated attacks against millions of sites, and although a patch (9.1.2) and forced updates were issued, some sites (notably those without valid licenses) may remain vulnerable.