Critical WordPress Plugin Bug Allows Admin Logins Without Password – BleepingComputerWordPress
A critical authentication bypass vulnerability allows anyone to log in as an administrator user on WordPress sites running an affected version of the InfiniteWP Client because of logical mistakes in the code.
Based on the active installations tracked by the WordPress plugin library, the open-source InfiniteWP plugin is currently installed on over 300,000 websites, while the plugin’s site claims that it’s installed on over 513,000 sites.
Upon installation, InfiniteWP Client is designed to allow its users to manage an unlimited number of WordPress sites from a central location with “one-click updates for WordPress, plugins, and themes across all your sites” and “one-click updates for WordPress, plugins and themes across all your sites.”
The vulnerability was patched by Revmakx, the plugin’s maker, on January 8 with the release of InfiniteWP Client 22.214.171.124, one day after researchers at web app security outfit WebARX disclosed the vulnerability on January 7.
Since the InfiniteWP Client version including the security fix was released, a little over 167,000 users have already updated their installation, with around 130K left to patch to secure their websites from potential future attacks.
“In order for the request to even get to the vulnerable part of the code, we first must encode the payload with JSON, then Base64, then send it raw to the site in a POST request,” WebARX says.
“All we need to know is the username of an administrator on the site. After the request has been sent, you will automatically be logged in as the user.”
The issue was found in the iwp_mmb_set_request function found in the init.php file, a function designed to check if actions attempted by a user are authenticated.
However, the researchers found that the readd_site and add_site don’t have an authorization check, a flaw that can be exploited with the correct payload to have the InfiniteWP server automatically log any user as an admin.
“Once the payload meets these conditions, the username parameter that is supplied will be used to login the requester as that user without performing any further authentication,” WebARX adds.
Admins who are still using InfiniteWP client version 126.96.36.199 or earlier are advised to update their installations as soon as possible to prevent having their websites compromised.
Another auth bypass caused by Improper Authentication logic and allowing users to login as admins was found in the WordPress plugin dubbed WP Time Capsule.
The WP Time Capsule plugin is also developed by Revmakx and is active on more than 20,000 websites. The flaw was also patched by the developer on January 8, with almost all users (~19,180) having already patched their installations since.