WordPress plug-in authentication bypass vulnerability Security Alert

WordPress plug-in authentication bypass vulnerability Security Alert

January 26, 2020 | Mina Hao

Overview

Recently, webarx researchers announced two high-risk authentication bypass vulnerabilities in WordPress plug-ins, which allow attackers to log in to an administrator account without a password.

The two plug-ins are infinitewp client and WP time capsule. It is designed to help users manage an unlimited number of WordPress websites from a central server and do backup management.

According to the report released by WebARX, the InfiniteWP Client plug-in is valid on more than 300000 websites, and the WP Time Capsule plug-in is valid on more than 20000 websites. The exploit process of the infinitewp client plug-in is simple, and CVss score is 9.8.

WebARX also points out that since authentication bypass vulnerabilities are usually logical errors in code and do not actually involve payloads that appear suspicious, it is difficult to use common firewall rules to prevent such vulnerabilities in this case.

Fortunately, plug-in developers have released a new version of the fix the next day after the vulnerability was submitted. It is recommended that users update it in time.

References:

https://threatpost.com/wordpress-bug-leaves-sites-open-to-attack/151911/

https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/

Affected Versions

  • InfiniteWP Client Version < 1.9.4.5
  • WP Time Capsule Version < 1.21.16

Unaffected Versions

  • InfiniteWP Client Version = 1.9.4.5
  • WP Time Capsule Version = 1.21.16

Solution

A new version that fixes the above vulnerability has been released. It is recommended that the affected users upgrade and update to prevent risks. The update download page is as follows.

InfiniteWP Client:https://wordpress.org/plugins/iwp-client/

WP Time Capsule:https://wordpress.org/plugins/wp-time-capsule/

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.