reported dangerous vulnerabilities found in WordPress plugins WP Time Capsule and InfiniteWP. Both plugins have already received patches from the developer this month.
By According to the researchers, in both cases, the attacker was able to bypass authentication. The causes of the vulnerabilities boiled down to “logical problems” in the code, exploiting which, an attacker could gain administrator access without having to enter a password.
Analysts write that the InfiniteWP plugin is currently installed on 300,000 sites, while the official website of the product claims 513,000 installations.
The vulnerability in the plugin was fixed by the developer (Revmakx) on January 8, 2020, with the release of InfiniteWP Client 188.8.131.52. To date, the patch has been installed by about 167,000 users, that is, about 130,000 more sites are still vulnerable to potential attacks.
The problem was found in the init.php file, in the iwp_mmb_set_request function, designed to check the authentication of the actions that the user is trying to take. However, readd_site and add_site did not perform an authorization check, allowing any user to gain administrator rights.
“For the request to even get to the vulnerable part code, you must first encode the payload using JSON, then Base64, and then send it in its original form to the site in a POST request, write WebARX experts. – All you need to know is the username of the site administrator. After submitting the request, you will be automatically logged in as a user.”
Another authentication bypass that allows users to log in as administrators has been discovered in another plugin, WP Time Capsule. This plugin is also created by Revmakx and is active on over 20,000 sites. The exploitation of the vulnerability in this case also came down to sending a POST request, even without the need to encode the payload. The vulnerability in it was also fixed by the developer on January 8, 2020, and since then almost all users (approximately 19,180) have already updated their installations.