Delaware, USA – January 16, 2020 – Popular WordPress plugins contain logical issues in the code allowing adversaries to login into an administrator account without a password. Updates came out last week, but security advisory by WebArx experts was published only this Tuesday, so now not only Windows requires to be updated as soon as possible.
InfiniteWP Client plugin has 300,000+ active installations and it allows users to manage an unlimited number of WordPress sites from a single server. To exploit the vulnerability in InfiniteWP, an attacker needs to encode the payload with JSON, then Base64, and send it raw to the site in a POST request. The only thing he needs to know is the username of an administrative account, and after the request has been sent, an attacker will be logged in as the user automatically. WP Time Capsule is a less popular tool that helps admins to backup sites in real-time and to migrate websites to new locations. To exploit the flaw in WP Time Capsule, an attacker only needs to add a certain string in the body of the raw POST request.
It’s hard to block this vulnerability with general firewall rules because the payload is encoded and a malicious payload would not look much different compared to a legitimate-looking payload of both plugins. These vulnerabilities may be of interest primarily to MageCart groups that install skimmers on websites to steal payment card data. You can use Web Application Security Framework rule pack to minimizes risks related to the usage of publicly accessible Web resources timely detecting their misuse and breach attempts: https://my.socprime.com/en/integrations/web-application-security-framework