Once again, thousands of WordPress websites are exposed to security threats due to vulnerable plugins. Researchers have found a critical bug in two WordPress plugins that put 320,000 websites at risk.
Vulnerability In Two WordPress Plugins
Reportedly, researchers from WebARX Security have found a serious security flaw in two different WordPress plugins. Considering the extensive userbase of both plugins, the bug potentially made thousands of websites vulnerable to cyber attacks.
Stating about the bug in their advisory, the researchers stated that they found an authentication bypass flaw in two plugins, the WP Time Capsule and InfiniteWP Client. Exploiting the flaw could allow an attacker to sign-in to the admin account without a password.
According to the researchers, the bug remained exploitable even with a firewall.
“In this case, it’s hard to block this vulnerability with general firewall rules because the payload is encoded and a malicious payload would not look much different compared to a legitimate-looking payload of both plugins…
Because of the nature of the vulnerability, cloud-based firewalls might not be able to make a difference between malicious or legitimate traffic and therefore may fail provide effective protection against this vulnerability.
In brief, both plugins exhibited some logical issues that could allow an attacker to bypass user authentication.
In the case of InfiniteWP Client, an adversary could send malicious POST requests to the site with JSON and Base64 encoded payload to bypass password requirements. Hence, the attacker would succeed to log in to the admin account only with the username of the administrator. The bug affected all plugin versions up to 22.214.171.124.
Whereas, for WP Time Capsule, a raw POST request with a certain string would suffice to conduct the attack. The bug potentially affected all plugin versions up to 1.21.15.
Patches Released – Update Now!
Upon noticing the flaw, the researchers informed Revmakx – the developer of both plugins. Fortunately, the developer worked quickly to patch the bug and release fixes within a day.
Consequently, the InfiniteWP Client v.126.96.36.199 and WP Time Capsule v.1.21.16 surfaced online with the patch for the auth bypass flaw.
While the threat is now seemingly over, the users of both plugins must ensure updating their sites with the latest plugin versions. Not to forget that both plugins boast a huge number of active installations; 300,000+ for InfiniteWP Client, and 20,000+ for WP Time Capsule.
Let us know your thoughts in the comments.