The team at WebArx, a security firm specializing in WordPress and other CRM and publishing platforms, reported the flaws in WP Time Capsule and InfiniteWP.
The team at WebArx discovered critical auth bypass vulnerability in InfiniteWP Client and WP Time Capsule while monitoring the code of popular plugins of their customers. The InfiniteWP Client and WP Time Capsule plugins give access to the administrator account without the need for a password in each case, because of the logical issues in the code.
General firewall protection is not enough
“Because authentication bypass vulnerabilities are often logical mistakes in the code and don’t actually involve a suspicious-looking payload, it can be hard to find and determine where these issues come from,” WebArx says.
They noted that it’s hard to block this vulnerability with general firewall rules. Therefore, WebArx coded a new feature in their firewall just to be able to block this vulnerability. The security firm warned other customers who use a firewall by another company to ask whether their firewall is blocking these particular vulnerabilities.
Management of the InfiniteWP Client plugin is active on over 300,000 websites. In the case of InfiniteWP, a user who only knows the username of an administrator on the site can send raw to the site in a POST request after encoding the payload with JSON in Base64. Then, this user can automatically be logged in to administration account.
A backup tool running on around 20,000 sites, WP Time Capsule only needs to contain a certain string in the body of the raw POST request without the need for the payload to be encoded. It allows admin access to the site without code authentication.