Pierluigi Paganini January 16, 2020

WP Time Capsule and InfiniteWP WordPress plugins are affected by security flaws that could be exploited to take over websites running the popular CMS.

Experts at security firm WebArx have ethically disclosed vulnerabilities in WP Time Capsule and InfiniteWP plugins, both were patched earlier this month by the developer Revmakx.

The flaws in WP Time Capsule and InfiniteWP WordPress plugins could be exploited to take over websites running the popular CMS that are more than 320,000.

“we found that the InfiniteWP Client and WP Time Capsule plugins also contain logical issues in the code that allows you to login into an administrator account without a password.” reads the security advisory published by the experts.

The plugins are affected by logical issues that could allow attackers to log in as administrators without providing any password.

Security systems like firewalls might fail to detect the attempt of exploitation for these issues because authentication bypass vulnerabilities are often logical mistakes in the code and don’t actually involve a suspicious-looking payload.

InfiniteWP allows users to manage unlimited number of WordPress sites from their own server, it has an estimated 300.000 installs.

The attacker could trigger the issue by sending a POST request with the payload written first in JSON and then encoded in Base64. The request will bypass the password requirement and log in with only the username of an existing account. All the attackers need to know is the username of an administrator on the WordPress site.

“The issue resides in the function iwp_mmb_set_request which is located in the init.php file. This function checks if the request_params variable of the class IWP_MMB_Core is not empty, which is only populated when the payload meets certain conditions.” continues the analysis.

“In this case, the condition is that the iwp_action parameter of the payload must equal readd_site or add_site as they are the only actions that do not have an authorization check in place. The missing authorization check is the reason why this issue exists.”

InfiniteWP Client versions before 1.9.4.5 are affected by the vulnerability.

WP Time Capsule is a backup tool with around 20,000 installs, to bypass the authentication the attackers need to send a POST request containing in the body a certain string.

Below the timeline for both vulnerabilities:

• 07-01-2020 – Reported the vulnerabilities to the developer of both plugins.
• 07-01-2020 – Released protection module to all WebARX customers.
• 08-01-2020 – Developer of the plugin released a new version for both plugins.
• 14-01-2020 – Security advisory publicly released.

Don’t waste time, update your plugin installs as soon as possible!

Pierluigi Paganini

(SecurityAffairs – WordPress Plugin, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]