WordPress vulnerability puts 300,000 at risk for attack

WordPress users are at serious risk thanks to a critical bug that is, at the time of this article’s writing, patched. According to research published by WebARX Security, the bug is specifically a critical auth bypass vulnerability that is found within the Infinite WP Client and also the WP Time Capsule plugins. What the bug allows for is, with merely the admin username and utilizing the proof-of-concept attack, a threat actor to access a WordPress site’s backend without a password. And this is not the first time a WordPress vulnerability has affected users of the popular web publishing and blogging platform.

In the case of the Infinite WP Client, WebARX Security explains in the following excerpt how the bug functions:

The issue resides in the function iwp_mmb_set_request which is located in the init.php file. This function checks if the request_params variable of the class IWP_MMB_Core is not empty, which is only populated when the payload meets certain conditions.

In this case, the condition is that the iwp_action parameter of the payload must equal readd_site or add_site as they are the only actions that do not have an authorization check in place. The missing authorization check is the reason why this issue exists.

As for the WP Time Capsule plugin, WebArx also explains the bug in detail:

The issue is located in wptc-cron-functions.php line 12 where it parses the request. The parse_request function calls the function decode_server_request_wptc which check if the raw POST payload contains the string “IWP_JSON_PREFIX.”

If it contains this string, it calls wptc_login_as_admin (which grabs all available administrator accounts and uses the first account in the list) and you’ll be logged in as an administrator as shown below.

For WordPress users who think that firewalls can protect them from this vulnerability, researchers are adamant that this is not the case. The firewall in most cases will not be able to tell a malicious coded payload from a non-threatening one. As this is the case, it is vital that any admin of sites with the affected plugins install the newest version that has the vulnerability patched. Researchers at WebARX state that this flaw affects over 300,000 users, and as such, the consequences of letting this vulnerability go could be dire.

Featured image: Flickr / Cristian Labarca

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Azure DevOps Wiki: Manage your project documentation and collaboration

Not being able to find project documentation is way too common. Use Azure DevOps’ built-in…

2 days ago

Samsung Unpacked 2020: Galaxy S20, Galaxy Z Flip, and more

Samsung is again the first major company to roll out new smartphones in the new…

2 days ago

PhotoSquared data leak exposes users’ photos, information

PhotoSquared has experienced a data leak, mainly because the popular U.S.-based photo app failed to…

2 days ago

Moving data from an Azure VM to Storage Account with AzCopy

Here’s an elegant and modern way to move data from your Azure virtual machine to…

3 days ago

A lot not to like: Analysis of recent Facebook data breach

The effects of the recent Facebook data breach are still being felt. In this new…

3 days ago

Exchange 2019: Building an environment from scratch

Are you finally ready to take the plunge into Exchange 2019? If you are building…

3 days ago