WebArx Specialists reported dangerous vulnerabilitiesfound in plugins for WordPress WP Time Capsule and InfiniteWP. Both plugins have already received patches from the developer this month.
According to the researchers, in both cases the attacker had the opportunity to bypass authentication. The causes of vulnerabilities boiled down to “logical problems” in the code, exploiting which, an attacker could gain administrator access without having to enter a password.
Analysts write that the InfiniteWP plugin is currently installed on 300,000 sites, while the official site of the product claims 513,000 installations.
The vulnerability in the plugin was fixed by the developer (Revmakx) on January 8, 2020, with the release of InfiniteWP Client 220.127.116.11. To date, about 167,000 users have installed the patch, that is, approximately 130,000 sites are still vulnerable to potential attacks.
The problem was discovered in the init.php file, in the iwp_mmb_set_request function, designed to verify the authentication of actions that the user is trying to take. However, readd_site and add_site did not perform authorization checks, which allowed any user to obtain administrator rights.
“To make the request even reach the vulnerable part of the code, you must first encode the payload using JSON, then Base64, and then send it in its original form to the site in a POST request,” write WebARX specialists. – All you need to know is the username of the site administrator. After sending the request, you will automatically log in as a user. "
Another authentication bypass, allowing users to log in as administrators, was discovered in another plugin – WP Time Capsule. This plugin is also created by Revmakx and is active on more than 20,000 sites. The exploitation of the vulnerability in this case also came down to sending a POST request, even without the need for encoding the payload. The vulnerability in it was also fixed by the developer on January 8, 2020, and since then almost all users (approximately 19,180) have already updated their installations.