Critical bugs in WordPress plugins InfiniteWP, WP Time Capsule expose 320,000 websites to attack

If you use these plugins you should update immediately as firewall protection will not work.

Critical bugs in WordPress plugins put over 300,000 websites at risk

Two WordPress plugins, InfiniteWP Client And WP Time Capsule, contain serious security vulnerabilities that have opened up an estimated 320,000 websites to exploit. 

The pair, used to manage multiple WordPress websites from one server and create backups for files and database entries when updates are issued, were examined by cybersecurity researchers from WebArx who found "logical issues in the code that allows you to login into an administrator account without a password."

See also: WordPress accounted for 90 percent of all hacked CMS sites in 2018

InfiniteWP is active on over 300,000 websites and WP Time Capsule is active on at least 20,000 domains, according to the WordPress plugins library. 

On Tuesday, the team said the logical issues impacting InfiniteWP versions below 1.9.4.5 means that it is possible to use a POST request payload with JSON and Base64 encoding to bypass password requirements and log in by knowing only the username of an administrator.

In WP Time Capsule versions below 1.21.16, an issue in a functions line can be exploited by adding a crafted string in a raw POST request to call a function that grabs all available administrator accounts and log in as the first admin on the list. 

CNET: Trump attacks Apple in push to weaken encryption

WebArx reported the vulnerabilities to the developer of both plugins on 7 January, who responded quickly and pushed out a software update only a day later.

In order to resolve these issues, the developer tweaked action codes, removed several function calls and added payload authenticity checks.

TechRepublic: What to do if you're still running Windows 7

It is important for webmasters to apply these patches, WebArx says, as it can be "hard to block this vulnerability with general firewall rules because the payload is encoded and a malicious payload would not look much different compared to a legitimate-looking payload of both plugins."

"The developer was very fast to react and released the patches on the very next day after our initial report," the team added. "It's always great to see developers who are taking action quickly and letting their customers know about the issues to help people update to a more secure version as soon as possible."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0