Security

Updated your WordPress plugins lately? Here are 320,000 auth-bypassing reasons why you should

Another day, another critical set of flaws


A pair of widely used WordPress plugins need to be patched on more than 320,000 websites to close down vulnerabilities that can be exploited to gain admin control of the web publishing software.

The team at WebArx, a security firm specializing in WordPress and other CRM and publishing platforms, took credit for discovering and reporting the flaws in WP Time Capsule and InfiniteWP. Both plugins were patched earlier this month by the developer, and updates should be applied.

In each case, WebArx says, the authentication bypass flaws were down to "logical issues" that, when targeted, gave an attacker admin access over the site without the need for a password.

In the case of InfiniteWP, a management tool with an estimated 300,000 users, the attacker would make a POST request with the payload written first in JSON and then encoded in Base64. If properly encoded, the request will be able to bypass the password requirement and log in the user with only the username.

For WP Time Capsule, a backup tool running on around 20,000 sites, the bypass would also be run as a POST function, but without the need for the payload to be encoded. Again, if a specific string is included in the request the code won't ask for authentication and allow admin access to the site.

In this case, patching the plug-ins is particularly important as attacks on the vulnerabilities would likely slip past firewalls.

Top websites screwed over in WordPress.com super-outage: VIP Go? More like VIP No Go

READ MORE

"Because authentication bypass vulnerabilities are often logical mistakes in the code and don’t actually involve a suspicious-looking payload, it can be hard to find and determine where these issues come from," WebArx explained.

"In this case, it’s hard to block this vulnerability with general firewall rules because the payload is encoded and a malicious payload would not look much different compared to a legitimate looking payload of both plugins."

WebArx noted that, to their credit, Revmakx, the developer of both plugins, was quick to respond and each was updated within a day of being reported.

Let this serve as a reminder to admins that WordPress and all of its plugins should be included in your regular update cycles. While patches for Windows, Acrobat, and other software get much of the press, WordPress is an extremely popular target for attackers looking to hijack sites and install things like cryptocoin miners or MageCart. ®

Send us news
20 Comments

Exploiting the latest max-severity ConnectWise bug is 'embarrassingly easy'

Urgent patching advised to protect attacks against setup wizards

Zoom stomps critical privilege escalation bug plus 6 other flaws

All desktop and mobile apps vulnerable to at least one of the vulnerabilities

Ivanti releases patches for VPN zero-days, discloses two more high-severity vulns

Many versions still without fixes while sophisticated attackers bypass mitigations

Double trouble for Fortinet as it issues critical FortiSIEM vulns

Please stand by 73 hours for vendor response...*

Reg story prompts fresh security bulletin, review of Juniper Networks' CVE process

Vendor gets tangled in its own web of undisclosed vulnerabilities

Ivanti and Juniper Networks accused of bending the rules with CVE assignments

Critics claim now-fixed vulnerabilities weren't disclosed, flag up grouping of multiple flaws under one CVE

Using GoAnywhere MFT for file transfers? Patch now – an exploit's out for a critical bug

Ancient path traversal exploit offers remote attackers admin access

Patch now: Critical VMware, Atlassian flaws found

You didn't have anything else to do this Tuesday, right?

More than 178,000 SonicWall firewalls are exposed to old denial of service bugs

Majority of public-facing devices still unpatched against critical vulns from as far back as 2022

Four in five Apache Struts 2 downloads are for versions featuring critical flaw

Seriously, people - please check the stuff you fetch more carefully

Before you go away for Xmas: You've patched that critical Perforce Server hole, right?

Microsoft bug hunters highlight weaknesses in source-wrangling suite

Ubiquiti blunder let some folks view others' security cameras, accounts

Cloud misconfig blamed and now fixed