A severe authentication bypass vulnerability allowed anyone to log in as an administrator to an affected version of a WordPress website running the InfiniteWP Client due to a logic error in the code.
Based on active installations tracked by the WordPress plugin library, the open-source InfiniteWP plugin is currently installed on more than 300,000 websites, and the plugin website claims to be installed on more than 513,000 websites.
During the installation process, InfiniteWP Client is designed to allow its users to manage an unlimited number of WordPress websites from a central location, and “update all content on WordPress, plugins, and themes with one click” website, as well as WordPress, plugins on all your websites and theme one-click updates by WordPress Department.
Critical Authentication Bypass Vulnerability
One day after researchers at WebARX, a web application security company, disclosed the vulnerability on January 7, plug-in maker Revmakx released InfiniteWP Client 18.104.22.168 on January 8 to correct the vulnerability.
Since the release of the InfiniteWP client version (including security patches), more than 167,000 users have updated their installations and need to correct about 130 KB of space to protect their websites from potential future attacks.
“For the request to even reach the vulnerable part of the code, we must first code the payload using JSON, then use Base64, and then send it raw to the POST request,” WebARX said.
“We just need to know the administrator username on the site. After sending the request, you will be automatically logged in as the user.”
The problem was discovered in the iwp_mmb_set_request function of the init.php file, which is designed to check if the operation attempted by the user has been authenticated.
However, the researchers found that readd_site and add_site do not have authorization checks, and this flaw can be exploited with the correct payload to allow the InfiniteWP server to automatically log in to any user as an administrator.
“Once the payload meets these conditions, the provided username parameter will be used to record the requestor as a user without performing additional authentication,” WebARX said.
It is recommended that administrators still using InfiniteWP client 22.214.171.124 or earlier update their installation as soon as possible to prevent damage to their website.
Another authentication workaround caused by incorrect authentication logic was found in the WordPress plugin nicknamed WP Time Capsule, which allowed users to log in as administrator.
The WP Time Capsule plugin is also developed by Revmakx and is valid on more than 20,000 websites. The vulnerability was also fixed by the WordPress developers, and then almost all users have fixed their installations.