Authentication bypass bugs in WordPress plugins InfiniteWP Client and WP Time Capsule leave hundreds of thousands of sites open to attack.
Two WordPress plugins, InfiniteWP Client and WP Time Capsule, suffer from the same critical authorization bypass bug that allows adversaries to access a site’s backend with no password.
All an attacker needs is the admin username for the WordPress plugins and they are in, according to researchers from WebArx who created proof-of-concept attacks to exploit the vulnerability.
“[Both] contain logical issues in the code that allows you to login into an administrator account without a password,” wrote WebArx in a blog post outlining the discovery on Wednesday.
According to the WordPress plugin library, 300,000 websites are running a version of the vulnerable InfiniteWP Client plugin. The WP Time Capsule plugin is active on 20,000 websites, according to library tallies.
Both plugins are designed to allow users to authenticate to multiple WordPress installations from one central server. That allows site owners to “perform maintenance such as one-click updates for core, plugins, and themes across all sites, backup and site restores, and activating/deactivating plugins and themes on multiple sites simultaneously,” according to a WordFence description.
The vulnerabilities were first reported on Jan. 7, 2020. The next day the developers released new versions of the plugins. On Tuesday, WebArx publicly disclosed the bugs.
We highly encourage you to upgrade those plugins if you are using any of them.