The two popular WordPress Plugins Including “InfiniteWP Client” with over 300,000 installations and “Backup & Staging by WP Time Capsule” with over 20,000 installations had some serious security flaws which leave more than 320,000 websites exposed to hackers.
Researchers at WebArx has found this vulnerability and provided details about the type and severity of the security flaws in both WordPress plugins. According to the details researchers have found “Critical Auth Bypass Vulnerability” in both plugins.
The plugins actually used to manage multiple WordPress websites from a single server, the plugins also create and manage backup files and updates database when the site is updated. The researchers found problems in code logic that allow users to log in to the administrator account without a password.
The team said, “The logical issues impacting InfiniteWP versions below 18.104.22.168 means that it is possible to use a POST request payload with JSON and Base64 encoding to bypass password requirements and log in by knowing only the username of an administrator.”
“Similarly in WP Time Capsule Plugin versions below 1.21.16 an issue in a functions line can be exploited by adding a crafted string in a raw POST request to call a function that catches all available admin accounts and log in as the first administrator on the list.”
These issues were very critical and devastating, the researchers reported the issues to plugin developers on January 7, the companies released security updates a day later in order to secure the loopholes in the plugins.
The developers changed action codes, removed some function calls and added payload authenticity checks to secure the plugins. People using these two plugins on WordPress sites do not need to worry about the security of the site if they are using an updated or latest version, however, the ones who have not updated plugins for a while must switch to the latest version to avoid any unprecedented damages.