Experts at security firm WebArx have ethically disclosed vulnerabilities in WP Time Capsule and InfiniteWP plugins, both were patched earlier this month by the developer
The flaws in WP Time Capsule and InfiniteWP WordPress plugins could be exploited to take over websites running the popular CMS that are more than 320,000.
The plugins are affected by logical issues that could allow attackers to log in as administrators without providing any password.
Security systems like firewalls might fail to detect the attempt of exploitation for these issues because authentication bypass vulnerabilities are often logical mistakes in the code and don’t actually involve a suspicious-looking payload.
The attacker could trigger the issue by sending a POST request with the payload written first in JSON and then encoded in Base64. The request will bypass the password requirement and log in with only the username of an existing account. All the attackers need to know is the username of an administrator
“The issue resides in the function iwp_mmb_set_request which is located in the init.php file. This function checks if the request_params variable of the class IWP_MMB_Core is not empty, which is only populated when the payload meets certain conditions.” continues the analysis.
“In this case, the condition is that the iwp_action parameter of the payload must equal readd_site or add_site as they are the only actions that do not have an authorization check in place. The missing authorization check is the reason why this issue exists.”
InfiniteWP Client versions before 188.8.131.52 are affected by the vulnerability.
WP Time Capsule is a backup tool with around 20,000 installs, to bypass the authentication the attackers need to send a POST request containing in the body a certain string.
Below the timeline for both vulnerabilities:
Don’t waste time, update your plugin installs as soon as possible!
(SecurityAffairs – WordPress Plugin, hacking)