Developer promptly issues fix to vulnerability impacting 320,000 sites

A critical vulnerability has been found in two popular WordPress plugins, a web security company has disclosed.

Both the Infinite WP Client and WP Time Capsule plugins contain an authentication bypass flaw that could allow an attacker to log in to an administrator account without a password, said WebARX, the firm that discovered the issues, in a recent blog post.

Users are advised to upgrade to the latest versions of the plugins, which have the fixes enabled – 1.9.4.5 for Infinite WP Client and 1.21.16 for WP Time Capsule.

An authentication bypass flaw, listed in the OWASP Top 10, typically occurs due to the mismanagement of credentials, or failure to implement multi-factor authentication.

A lack of security checks within an application’s codebase can also be responsible.

“Because authentication bypass vulnerabilities are often logical mistakes in the code and don’t actually involve a suspicious-looking payload, it can be hard to find and determine where these issues come from,” WebARX said.

Infinite WP Client, a multi-site management tool, is currently installed on over 300,000 WordPress sites, according to its developer Revmakx.

WebARX said that the authentication bypass flaw originated in the iwp_mmb_set_request function of the plugin’s init.php file, impacting versions 1.9.4.4 and earlier.

“In order for the request to even get to the vulnerable part of the code, we first must encode the payload with JSON, then Base64, then send it raw to the site in a POST request,” WebARX said.

“All we need to know is the username of an administrator on the site. After the request has been sent, you will automatically be logged in as the user.”


Check out the latest WordPress security news


Missing authentication checks caused the issue to occur, WebARX said, as with WP Time Capsule, a plugin reported by its developer to be active on 20,000 sites.

The issue here lies in wptc-cron-functions.php line 12.

“The parse_request function calls the function decode_server_request_wptc which check if the raw POST payload contains the string IWP_JSON_PREFIX,” WebARX said.

“If it contains this string, it calls wptc_login_as_admin (which grabs all available administrator accounts and uses the first account in the list) and you’ll be logged in as an administrator as shown below.”

WP Time Capsule is also developed by Revmakx. The company promptly issued updated versions of both plugins on January 8 – just one day after WebARX reported the flaws.

“They [Revmakx] fixed it in a day and reached out to all of their customers the same day to make sure people update ASAP,” Oliver Sild, founder and CEO of WebARX, told The Daily Swig.

“We [WebARX] always help the developers fix the issues when we send out reports, and this specific developer has been very swift in both response and remediation.”

Sild added how there had been no evidence of the reported vulnerabilities being exploited in the wild.

“We are actively monitoring this as it’s a popular plugin, which usually makes it a matter of hours/days when we will see first attempts,” he said.

“Plugin update is of critical importance.”


YOU MIGHT ALSO LIKE WordPress 5.3 launches with security enhancements and PHP 7.4 support