A study found significant flaws in 3 WordPress plugins deployed on 400,000 websites — leaving them wide open for cyber-attacks.
The errors were identified in the plugins InfiniteWP, WP Time Capsule and WP Reset Server. These are similar types of bypass authorization vulnerabilities that enable anyone to reach a website’s backend without passwords.
This plugin is by far the most adversely damaged by the bug to circumvent security and therefore more than 300,000 websites have InfiniteWP Server built on it. Essentially, InfiniteWP Server helps admins to run multiple websites from a central server.
Through exploiting the vulnerability, though, anyone can sign in without passwords to an admin account.
It would allow attackers to remove content, introduce new profiles, and undertake a whole host of other nefarious practices. To leverage this flaw, it needs only a legitimate account username and the presence of a malicious payload which is sent to a compromised site in a POST message.
This vulnerability comes from a feature that allows users to log in automatically as an administrator without sending a password. If you are running InfiniteWP Client version 220.127.116.11 or any previous version on your website, you should instantaneously update to 18.104.22.168.
WP Time Capsule:
WP Time Capsule also struggles from a backdoor verification vulnerability which enables attackers to log in as admin. This plugin basically makes a backup of website data simple and this plugin has about 20,000 websites.
To take advantage of this potential problem, intruders have to include a string in a POST request to help them get a list of all admin accounts and login to the first one automatically.
A fix has been pushed out in version 1.21.16 so if you are already using a previous version you can upgrade your website right now.
WP Database Reset:
The 3rd error was found in the plugin WP Database Reset which is mounted on almost 80,000 websites. The mistake resulted from restore functions that the standard configuration tests or security nuances did not obtain. Taking advantage of this vulnerability will result in complete data loss or a site reset
Another security flaw in WP Server Reset contributes to a loophole to privilege escalation that enables every authorized user (even those with limited device rights) to obtain admin privileges and to lock out all other users.
To avoid turning victim to such attacks, website admins using this plugin should update both bugs to version 3.15. In the midst of this potential threat, the only great news is that there is no report yet in the wild about exploiting these vulnerabilities.